Install Splunk on ubuntu system

Splunk is a powerful software platform for searching, monitoring, and analyzing machine-generated big data with real-time data capture, indexing, correlation, visualization, and alerting functionalities.

Key Features of Splunk:

1. Data Collection: Splunk can ingest data from multiple sources like applications, servers, network devices, IoT devices, and more.

2. Search and Analysis: It enables users to search and analyze machine-generated data from logs, metrics, and other sources using its proprietary Search Processing Language (SPL).

3. Visualization: Provides dashboards, graphs, and reports for data insights.

4. Alerting: Users can set up alerts based on predefined thresholds or criteria.

5. Real-Time Monitoring: Splunk allows you to monitor systems and applications in real time.

6. Machine Learning: Integrates machine learning for advanced data analysis and predictive insights.

7. Correlation: Helps correlate different data sources for a comprehensive view of events and logs.

Prerequisites

• Ubuntu 24.04 LTS with minimum 2GB RAM and 1 CPU.

• SSH access with sudo privileges

• Firewall Port: 8000

Download and Install Splunk on Ubuntu

Let's start the hands-on lab to install Splunk on Ubuntu 24.04 LTS. Here we are installing and configuring Splunk Enterprise version 9.2.2. To download the latest version, visit the official Splunk website.

After installation is complete, open the terminal and run the highlighted command.

wget -O splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"

Install Splunk Enterprise using dpkg command.

sudo dpkg -i splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb

Enable Splunk to start automatically when the system boots by running the following command.

sudo /opt/splunk/bin/splunk start

After entering the above command, you will need to accept the Splunk License Agreement. Scroll through the pages by pressing Enter or the Spacebar on your keyboard, and at the end, type y to agree to the Splunk License terms. Then, set up the Splunk login by typing the administrator username, password, and confirm password as shown below.

Please enter an administrator username: admin
Please enter a new password: ***********
Please confirm new password: ***********

Start the Splunk Service.

systemctl start splunk

Verify splunk service running status.

systemctl status splunk

Now, Open web browser to access splunk web interface. As above mentioned we have to open firewall port 8000.

http://server_name:8000

Now you are able to see the Splunk login screen; enter your Splunk admin credentials. To uninstall or remove Splunk Enterprise completely in Ubuntu, there are two ways to do it.

1. Uninstall/Remove Splunk Enterprise using package management utilities

If we configured Splunk Enterprise to start at system startup, first remove it from boot scripts before uninstalling using the commands below. Navigate to the Splunk_Home directory /opt/splunk/bin and disable it.

sudo ./splunk disable boot-start

once disabled, then stop splunk service.

sudo ./splunk stop

Remove all splunk configuration file.

sudo dpkg -r splunk

2. Uninstall/Remove Splunk Enterprise Manually

Alternative way to uninstall splunk from ubuntu.

Stop splunk service.

sudo ./splunk stop

Kill the splunk process if running any.

sudo kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

Remove the Splunk Enterprise Installation directory.

sudo rm -rf /opt/splunk

Delete the splunk system user and group.

sudo userdel splunk
sudo groupdel splunk

Here, Successfully install Splunk on ubuntu system.