How to Install Splunk on Linux

Splunk Enterprise 8.0 just got out so there’s no better time to install it on your Linux distribution and start analyzing some data. If you don’t know what Splunk does yet, we suggest you take a look at this article. If you do know what Splunk is and you want to quickly jump into action, choose your Linux distribution below to install it quickly:

We assume you’re confident enough with the shell on your chosen distribution in order to complete the install procedure. If you’re a beginner at both Splunk and Linux, get familiar with the Linux shell first and then come back to install your fresh version of Splunk Enterprise. But first, make sure you download the latest version of Splunk!

The latest version of Splunk Enterprise for Linux only runs on 64-bit machines. Make sure to check that the architecture of your Linux distribution is 64-bit before you start with the installation process. You can do this by running the “uname -a” or “uname -r” commands on your terminal and checking for x86_64 as a result.

uname -a
Linux bitsio 5.0.0-32-generic #34-Ubuntu SMP Fri Oct 8 03:02:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Download The Latest Version of Splunk (8.0)

Before you go on to try and install Splunk on Linux, you need to download the software. You can do this directly via your terminal, or you can download it through your browser. Whichever you may choose, we suggest you keep a copy of the software on your computer as a backup, just in case something goes wrong. You won’t have to download it again.

DOWNLOAD VIA TERMINAL

Downloading the file through the terminal is a lot faster than going through the browser. Use the following commands and choose the correct file extension to download Splunk on your machine super fast. If you’re not sure which file extension should be used for your Linux distribution, please refer to this list. Here are the wget commands (copy and paste):

DEB

wget -O splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64.deb ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.0&product=splunk&filename=splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64.deb&wget=true’

RPM

wget -O splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.0&product=splunk&filename=splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm&wget=true’

TGZ

wget -O splunk-8.0.0-1357bef0a7f6-Linux-x86_64.tgz ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.0&product=splunk&filename=splunk-8.0.0-1357bef0a7f6-Linux-x86_64.tgz&wget=true’

You can find the most recent download links directly on Splunk’s website. We will do our best to update the commands every time Splunk receives a major update.

DOWNLOAD VIA BROWSER

Downloading via browser is a bit slower, but it’s a more “official” way of handling the installation process. Follow this guide to download Splunk via the browser:

1. Go to Splunk’s website;

2. Click on the “Free Splunk” button;

3. Enter your personal information;

4. Accept the Splunk Software License Agreement;

5. Choose the product that suits your needs;

6. Select the Linux tab;

7. Choose the correct file extension for your Linux distro (.tgz, .deb, .rpm) and click on the “Download Now” button to download Splunk.

Now move the file somewhere safe (the download or tmp folders are both fine) and install Splunk on your Linux distribution with the steps described in the following sections.

Install Splunk on Debian (DEB)

Being one of the most popular Linux distributions, it’s likely that you’ll want to install Splunk directly on Debian. Thankfully, it’s also one of the easiest platforms to get things set up correctly. On Debian, you don’t need to create separate users and accounts to install Splunk, you simply need to follow a few steps and you’re good to go:

1. Download the .deb file;

wget -O splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64.deb ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.0&product=splunk&filename=splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64.deb&wget=true’

2. Install Splunk;

sudo dpkg -i splunk-8.0.0-1357bef0a7f6-linux-2.6-amd64.deb

3. Start Splunk at boot;

sudo /opt/splunk/bin/splunk enable boot-start

4. Accept license (scroll down to 100% with enter);

Do you agree with this license? [y/n]: y

5. Enter an administrator username;

Please enter an administrator username:

6. Enter and confirm a password;

Password must contain at least:

* 8 total printable ASCII character(s).

Please enter a new password:

Please confirm new password:

7. Start Splunk service.

sudo service splunk start

That’s it, you’ve successfully installed and started Splunk on your Debian machine. Now head on over to the web interface section to start logging your data. 

You can always check whether Splunk is correctly installed on your Debian machine or not by using the dpkg –status splunk command.

dpkg –status splunk

Package: splunk

Status: install ok installed

Maintainer: Splunk Inc.

Architecture: amd64

Version: 8.0.8

Description: Splunk The platform for machine data.

Install Splunk on Ubuntu (DEB)

Installing Splunk on Ubuntu is exactly the same as any other Linux distribution based on Debian (here’s a list of them). Simply follow the steps highlighted in the Debian section up above to get Splunk running on your Ubuntu machine or follow our in-depth, step-by-step guide on how to install Splunk on this popular Linux distribution.

Install Splunk on Red Hat Enterprise Linux (RPM)

The installation process is a little bit more involved on Red Hat Enterprise Linux, but still easy and manageable. With this distribution, you have to create a new user in order to safely operate Splunk. We do not recommend installing Splunk on your root user as it will compromise the rest of the system. Follow these steps to install Splunk on RHEL:

1. Download the .rpm file;

wget -O splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.0&product=splunk&filename=splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm&wget=true’

2. Create a new splunk user;

groupadd splunk

useradd -d /opt/splunk -m -g splunk splunk

3. Create the following directory;

mkdir /opt/installers

4. Copy the downloaded .rpm file to the new directory;

cp splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm /opt/installers/

5. Change ownership;

chown -R splunk: /opt/splunk/ /opt/installers

6. Switch user;

su – splunk

7. Change directory;

cd /opt/installers

8. Install Splunk;

rpm -i splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm

9. Start Splunk quickly (accept license automatically);

/opt/splunk/bin/splunk start –accept-license

10. Enter an administrator username;

Please enter an administrator username:

11. Enter and confirm a password;

Password must contain at least:

* 8 total printable ASCII character(s).

Please enter a new password:

Please confirm new password:

12. Enable at boot.

/opt/splunk/bin/splunk enable boot-start

Congrats, you’ve successfully installed and started Splunk on your RHEL machine. Now head on over to the web interface section to start logging your data.

Install Splunk on CentOS (TGZ)

Just like Ubuntu is based on Debian, CentOS is based on RHEL. This means that the installation process is almost the same for both. There are a few differences worth noting though. Follow our in-depth CentOS 7 tutorial made specifically for this well-known open source platform to install the latest version of Splunk Enterprise.

Install Splunk on Other Distributions

Debian-based and RHEL-based distributions will likely cover 90% of the cases when it comes to installing Splunk on Linux. If you want to download and install Splunk on smaller distributions (here’s a full list), we suggest you take a look at the community forums; the installation process might slightly vary depending on which one you choose.

Still stuck with the installation? Are the commands shown hard to follow? They don’t seem to work appropriately? If you’re finding it hard to follow the instructions written above, check out this short video explaining how to install Splunk on Linux.

Access The Web Interface

Once you’ve correctly downloaded, installed, and started Splunk on your Linux distribution, you can access its web interface directly from any browser using port 8000. Simply type localhost:8000 in the URL bar (or use the ip address of the machine you want to access instead of localhost) and you’ll be greeted with the web interface where you can type in username and password set up during installation and access the dashboard.

WEB INTERFACE

DASHBOARD

That’s it, you’ve correctly installed the latest version of Splunk on your Linux machine and now you can finally start logging your data. How, you might ask? Stay tuned for more!

We at bitsIO are working hard to provide you with the best resources on everything related to Splunk, and we cannot wait to share some fantastic use cases with you next week. Until then, don’t forget to share this post with friends and people who are interested in starting out with Splunk!