Friday, March 27, 2020

Splunk - Install splunk on linux

These steps are followed based on tutorial available on Linkedin for SPLUNK set up

1. Install virtual box -

2. Copy the config file on any directory and run the command on your windows machine

a. Go to that directory and copy the file.
C:\KB\Splunk\2. Getting Started\2.1\Exercise Files\Vagrantfile
E:\Virtual Machines\splunk
This file is simply ruby script file which are Vagrant specific configuration options to configure VMs.
It has all VMs and defined how they interact.
b. Open up powershell and go to the directory and run vagrant up command
> cd E:\Virtual Machines\splunk
> vagrant up

It will initiate an installation process. It will take a while to install everything.

3.  Install Vagrant - (Vagrant is a simply way to  manage virtual machines)

4. Now, open Powershell and cd to E:\Virtual Machines\splunk where you copied the vagrant file. and Run vagrant up command.

> vagrant up

It will install all required VMs on your virtual box.

Note: If you get an error about hyper visor on ur windows machine, go to start menu and type "turn win"
you will see Turn windows features on or off. click on that and go down and find Hyper-v, if its check, uncheck.

sometime, you may have to go to BIOS and disable it.

5. What is splunk?
It is an enterprise tool to manage data.
It is a single place to collect data.
It is used for system logs and machine data.
It collects all your data in one place and and helps you to search, generate report and helps you to visualize your data.
You can also use SPLUNK to triger alerts based on your data..
It comes with free version and Enterprise version.

6. By now, vigrant boxes are booting. You should be able to login and install splunk.
a. Now, download the Splunk.
Go to splunk and go to download.
When click on download link, you will see useful Tools on right side on splunk page. Click on Download via command link (wget). click on link and copy the link.

Download the OS type file. I am downloading for Linux.
wget -O splunk- ''

Note: download the free version (Splunk Free) not the free trial enterprise edition.
You have to create an account to download.

b. Go to powershell window. You should cd to vagrant file location and issue a command vagrant ssh splunk to login to splunk VM.

PS E:\Virtual Machines\splunk> vagrant ssh splunk
vagrant@ Permission denied (publickey).

Got an error: Permission denued (publickey)

PS C:\WINDOWS\system32> vagrant ssh splunk
A Vagrant environment or target machine is required to run this
command. Run `vagrant init` to create a new Vagrant environment. Or,
get an ID of a target machine from `vagrant global-status` to run
this command on. A final option is to change to a directory with a
Vagrantfile and to try again.
PS C:\WINDOWS\system32> vagrant.exe global-status
id       name   provider   state   directory
820d9e5  splunk virtualbox running E:/Virtual Machines/splunk

c. Find the error with debug option, what is really going on.
PS E:\Virtual Machines\splunk> vagrant ssh splunk --debug

DEBUG safe_exec: Command: `"C:\\WINDOWS\\System32\\OpenSSH\\/ssh.EXE"` Args: `["vagrant@", "-p", "2222", "-o", "LogLevel=FATAL", "-o", "Compression=yes", "-o", "DSAAuthentication=yes", "-o", "IdentitiesOnly=yes", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-i", "E:/VirtualMachines/splunk/.vagrant/machines/splunk/virtualbox/private_key"]
vagrant@ Permission denied (publickey).

d. Renamed this file: E:/Virtual Machines/splunk/.vagrant/machines/splunk/virtualbox/private_key to 111private_key_222

e. Now, login to splunk

PS E:\Virtual Machines\splunk> vagrant ssh splunk
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-176-generic x86_64)

 * Documentation:
 * Management:
 * Support:

 * Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud
   instance or Raspberry Pi, with automatic updates to the final GA release.

     sudo snap install microk8s --channel=1.18/beta --classic

 * Multipass 1.1 adds proxy support for developers behind enterprise
   firewalls. Rapid prototyping for cloud operations just got easier.

0 packages can be updated.
0 updates are security updates.

New release '18.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Become root user
vagrant@splunk:~$ sudo su -

7. Install Splunk
Note: Do not install splunk as a root user at work place. Its my lab, so I am fine.
Now, at the prompt, paste the copied link.
# wget -O splunk- ''

splunk- 100%[=================================================>] 374.11M  5.86MB/s

It will download the file on current directory

a. Install the package
root@splunk:~# dpkg -i splunk-

press q and y to accept the license and continue.

It may prompt you for password. this is the password for your splunk.
at the end of the installation, it will give you the address path with port.

if it didn't prompt you for password, you have to go throug splunk start/stop command.

go to bin directory and run splunk start command. (use flag --accept-license)
root@splunk:/opt/splunk/bin# cd /opt/splunk/bin
root@splunk:/opt/splunk/bin# ./splunk start --accept

type q and y to accept the license.

it will propmpt you to enter admin username:

Please enter an administrator username: myadmin
Please confirm new password:

to start splunk at boot run the command
root@splunk:/opt/splunk/bin# ./splunk enable boot-start -user myadmin
root@splunk:/opt/splunk/bin# systemct enable splunk
root@splunk:/opt/splunk/bin# systemctl start splunk
root@splunk:/opt/splunk/bin# ./splunk star

Now, go to web address on the browser and use the IP and port to login.

8. Shutdown Vagrant manage VMs

PS E:\Virtual Machines\splunk> vagrant halt


If you don't want to go through all this hassle, use centos.

Download the splunk package
# wget -O splunk- ''

# rpm -ivh splunk-
# cd /opt/splunk/bin
# ./splunk start -accept
# ./splunk start

You will get IP:PORT, paste on browser, use the user/pw to login.

Enjoy !!!

No comments:

Post a Comment