How to install Splunk Enterprise in Ubuntu 20

How to install Splunk in Ubuntu 20.04

This article will describe how to install Splunk Enterprise in Ubuntu 20.04. For this tutorial I will be installing the free edition of Splunk Enterprise in Ubuntu Desktop 20.04.1.

Splunk is a popular platform used to monitor, search, analyze and visualize machine-generated data in enterprise environments.

Step 1: Download Splunk

  1. Open your preferred browser in Ubuntu and navigate to https://www.splunk.com/.

  2. In the top right corner, hit the Free Splunk button.

  3. You will be prompted to register an account, which you will need to do before Splunk can be downloaded.

    If you already have an account, simply login.

  4. Under Splunk Core Products select Splunk Free.

    Spunk website screenshot

  5. Under Choose Your Installation Package, select Linux and download the .deb file.

    Spunk website screenshot

  6. Read and accept the license agreement, then click Start Your Download Now.

  7. When the download prompt appears, ensure to select Save File and click OK.

    Download prompt

Step 2: Install Splunk

  1. Once the download is complete, you can simply run the install by double-clicking the downloaded file.

    Downloads folder

  2. Click Install.

    Enter your password when prompted and click Authenticate.

    Splunk install window

  3. The Splunk installation will take several minutes to complete, so put your feet up or make a coffee.

    Splunk install progress

  4. When the install has finished, the progress bar will disappear and you will see a red Remove button. Do not click this. You can simply close this window.

  5. Finally, you can check the package status to verify the installation.

    Open a terminal window and enter the following command:

    dpkg --status splunk
    

    The status should show as install ok installed.

    Confirm splunk package status

Step 3: Running and configuring Splunk

  1. Splunk will have been installed into the directory /opt/splunk.

    In the terminal window, change into the /opt/splunk/bin directory:

    cd /opt/splunk/bin
    
  2. You are now ready to run Splunk. Make sure your terminal is in the /opt/splunk/bin directory and enter the following command:

    sudo ./splunk start
    
  3. Read the license terms carefully, and if you agree hit y followed by Enter to accept them when prompted.

    Note: At your own risk, you can page down quickly in the terms by using Ctrl+D.

    As an alternative, you can auto-accept the license agreement by passing an argument to the start command when running Splunk for the first time:

    sudo ./splunk start --accept-license
    
  4. Since this is the first time running Splunk, you will be prompted to create a Splunk admin account.

    Simply hit Enter to use the default username admin, or alternatively enter your preferred username.

    Splunk create admin account

  5. Next, you will need to set a password for the admin user. These are the credentials you will use to login to Splunk Enterprise, so make sure to remember them!

    Splunk set admin password

  6. The Splunk auto-configuration will run and attempt to start the web server on port 8000. If this port is already in use, Splunk will attempt to use another available port. I’ll assume that port 8000 is being used.

    Splunk auto config

  7. Open your preferred browser and navigate to http://localhost:8000

    You should see the Splunk Enterprise login page.

    Enter the username and password created in the above steps and click Sign In.

    Splunk login page

  8. The Splunk web dashboard will display.

    Splunk dashboard

This concludes the basic installation of Splunk Enterprise in Ubuntu Desktop 20.04.

Starting and Stopping Splunk

Splunk can be manually started from the terminal:

sudo /opt/splunk/bin/splunk start

And to stop Splunk:

sudo /opt/splunk/bin/splunk stop

Splunk can also be set to automatically start on boot:

sudo /opt/splunk/bin/splunk enable boot-start

And you can turn off the auto-run as well:

sudo /opt/splunk/bin/splunk disable boot-start