How to Install Splunk Log Analyzer on Ubuntu 18.04 LTS

Splunk is a powerful log database that can be used for searching, monitoring, and analyzing machine-generated big data through a web-interface. It is a very useful tool for analyzing, exploring and searching data. You can easily index, search, collect and visualize massive data streams in real-time from an application, web server, database, server platform, Cloud-network and many more using Splunk.

Splunk made up from three main components:

  1. Splunk Forwarder : It is used for collecting the logs.
  2. Splunk Indexer : It is used for Parsing and Indexing the data.
  3. Splunk Search Head : Provides web interface for for searching, analyzing and reporting.

In this tutorial, we will be going to learn how to install Splunk on Ubuntu 18.04 LTS (Bionic Beaver) server.

Requirements

  • A server running Ubuntu 18.04 to your system.
  • A non-root user with sudo privileges.

Install Splunk

Splunk supports a wide range of operating system including, Windows, Linux, FreeBSD, OSX, Solaris, AIX and many more. You can download the latest version of the Splunk from their official website or use the following command:

wget https://download.splunk.com/products/splunk/releases/7.1.1/linux/splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb

Once the download is completed, install the downloaded file using the following command:

sudo dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb

Once the installation completed successfully, you should see the following output:

(Reading database ... 218552 files and directories currently installed.)
Preparing to unpack splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb ...
Unpacking splunk (7.1.1) over (7.1.1) ...
Setting up splunk (7.1.1) ...
complete

Next, you will need to enable Splunk service to start on boot time. You can do this by running the following command:

sudo /opt/splunk/bin/splunk enable boot-start

Here, you will need to agree to the License Agreement and provide admin password as below:

Splunk Software License Agreement 04.24.2018

Do you agree with this license? [y/n]: y

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
..................+++
..............................................................................+++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
.............+++
...................................+++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
 Adding system startup for /etc/init.d/splunk ...
   /etc/rc0.d/K20splunk -> ../init.d/splunk
   /etc/rc1.d/K20splunk -> ../init.d/splunk
   /etc/rc6.d/K20splunk -> ../init.d/splunk
   /etc/rc2.d/S20splunk -> ../init.d/splunk
   /etc/rc3.d/S20splunk -> ../init.d/splunk
   /etc/rc4.d/S20splunk -> ../init.d/splunk
   /etc/rc5.d/S20splunk -> ../init.d/splunk
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

Next, start Splunk service using the following command:

sudo service splunk start

You should see the following output:

Starting splunk server daemon (splunkd)...  
Generating a 2048 bit RSA private key
............+++
............................................................................................................................................+++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=Node3/O=SplunkUser
Getting CA Private Key
unable to write 'random state'
writing RSA key
Done


Waiting for web server at http://127.0.0.1:8000 to be available........ Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://Node3:8000

Access Splunk Web Interface

Splunk server is now running and listening on port 8000. Open your web browser and type the URL http://your-server-ip:8000, you will be redirected to the following page:

Splunk Login

Here, provide your admin login credentials, then click on the Sign In button, you should see the Splunk dashboard in the following screen:

Splunk Dashboard

Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By: Chris at: 2018-06-28 20:12:56

Great article!  Now we just need a 2nd part; on how to set up a universal forwarder and how to forward data to Splunk Enterprise.

Hope that's coming :)

Thanks!

By: Mark at: 2018-08-02 19:21:50

Yes!  How do we forward logs to Splunk now that it is installed?

By: Jason S. Sylar at: 2018-08-02 20:14:32

Great tutorial.  Followed it, all is well.  How do i send logs from one machine to splunk?