How To Install Splunk in Red Hat Enterprise Linux 7
Updated: Oct 3, 2021
Splunk is a product that captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Basically we can collect all the logs from different data sources in our data center and visualized on a single dashboards, and many more. Let's install Splunk,
Steps:1 To download the Splunk at "Download Splunk Enterprise for Free | Splunk". And copy it to the target system.
# scp ./Downloads/splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm root@idm2:/root/
Steps:2 To install the Splunk rpm in the system.
# yum install splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm -y Loaded plugins: enabled_repos_upload, package_upload, product-id, search-disabled-repos, subscription-manager Examining splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm: splunk-8.0.5-a1a6394cc5ae.x86_64 Marking splunk-8.0.5-a1a6394cc5ae-linux-2.6-x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package splunk.x86_64 0:8.0.5-a1a6394cc5ae will be installed --> Finished Dependency Resolution ::::::::::::: CUT SOME OUTPUT ::::::::::::: Installing : splunk-8.0.5-a1a6394cc5ae.x86_64 1/1 complete
Steps:3 To start the Splunk service and set the environment setting for Splunk.
# export SPLUNK_HOME=/opt/splunk/ # export PATH=$PATH:$SPLUNK_HOME/bin # vi /etc/profile.d/splunk.sh #!/bin/bash export SPLUNK_HOME=/opt/splunk/ export PATH=$PATH:$SPLUNK_HOME/bin # chmod +x /etc/profile.d/splunk.sh # source /etc/profile.d/splunk.sh # echo $SPLUNK_HOME /opt/splunk/ # splunk start --accept-license This appears to be your first time running this version of Splunk. Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials. Please enter an administrator username: admin Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: ******** Please confirm new password: ******** Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'. Generating RSA private key, 2048 bit long modulus ............................................................................................+++++ ...+++++ e is 65537 (0x10001) writing RSA key Generating RSA private key, 2048 bit long modulus ..............+++++ ......+++++ e is 65537 (0x10001) writing RSA key ::::::::::::: CUT SOME OUTPUT ::::::::::::: Waiting for web server at http://127.0.0.1:8000 to be available.... Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://idm2.lab.munshibari.biz:8000
Steps:4 To set the Splunk script to run Splunk service at system boot.
# splunk enable boot-start Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.
Steps:4 To verify the Splunk services running from my laptop browser with http://idm2.lab.munshibari.biz:8000 url, as below.
login with admin (as has set during the installation) and admin password to explore.
Basic Settings in Splunk:
Steps:1 To change timezone from the Splunk Web Based GUI
Click Administrator > Preferences and change the Time Zone, as below.
Steps:2 To change Indexing disk space to avoid warning message.
Click Settings > Server Settings (Under SYSTEM) and change the 500 MB, as its my requirements
Steps:3 To restart the Splunk service after the changes.
# service splunk stop Stopping splunk (via systemctl): [ OK ] # service splunk start Starting splunk (via systemctl): [ OK ]
Configure a HTTP Event Collector in the Splunk:
Steps:1 To add data from the Splunk Web Based GUI
From the home pages click Add Data, as below
Or Click Settings > Add Data, as Below