top of page
Recent Posts

How To Install Splunk in Red Hat Enterprise Linux 7

Updated: Oct 3, 2021

Splunk is a product that captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Basically we can collect all the logs from different data sources in our data center and visualized on a single dashboards, and many more. Let's install Splunk,

Install the Splunk:

Steps:1 To download the Splunk at "Download Splunk Enterprise for Free | Splunk". And copy it to the target system.

# scp ./Downloads/splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm root@idm2:/root/

Steps:2 To install the Splunk rpm in the system.

# yum install splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm -y
Loaded plugins: enabled_repos_upload, package_upload, product-id, search-disabled-repos, subscription-manager

Examining splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm: splunk-8.0.5-a1a6394cc5ae.x86_64
Marking splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package splunk.x86_64 0:8.0.5-a1a6394cc5ae will be installed
--> Finished Dependency Resolution

::::::::::::: CUT SOME OUTPUT :::::::::::::

  Installing : splunk-8.0.5-a1a6394cc5ae.x86_64                                                                       1/1 

Steps:3 To start the Splunk service and set the environment setting for Splunk.

# export SPLUNK_HOME=/opt/splunk/
# export PATH=$PATH:$SPLUNK_HOME/bin

# vi /etc/profile.d/
export SPLUNK_HOME=/opt/splunk/

# chmod +x /etc/profile.d/
# source /etc/profile.d/

# splunk start --accept-license
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: admin
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: ********
Please confirm new password: ********
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
writing RSA key

::::::::::::: CUT SOME OUTPUT :::::::::::::

Waiting for web server at to be available.... Done

If you get stuck, we're here to help.  
Look for answers here:

The Splunk web interface is at

Steps:4 To set the Splunk script to run Splunk service at system boot.

# splunk enable boot-start 
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

Steps:4 To verify the Splunk services running from my laptop browser with url, as below.

login with admin (as has set during the installation) and admin password to explore.

Basic Settings in Splunk:

Steps:1 To change timezone from the Splunk Web Based GUI

Click Administrator > Preferences and change the Time Zone, as below.

Steps:2 To change Indexing disk space to avoid warning message.

Click Settings > Server Settings (Under SYSTEM) and change the 500 MB, as its my requirements

Steps:3 To restart the Splunk service after the changes.

# service splunk stop
Stopping splunk (via systemctl):                         [  OK  ]
# service splunk start
Starting splunk (via systemctl):                         [  OK  ]

Configure a HTTP Event Collector in the Splunk:

Steps:1 To add data from the Splunk Web Based GUI

From the home pages click Add Data, as below

Or Click Settings > Add Data, as Below