Visit the Splunk download page to download the Splunk .deb package: http://www.splunk.com/download?r=header Upload the file to your Ubuntu server and place it a temporary directory. Run the dpkg command to install the Splunk server. The file name of the .deb file may change as new versions are made available so make sure that you have downloaded. # dpkg -i splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
Selecting previously unselected package splunk.
(Reading database ... 51260 files and directories currently installed.)
Preparing to unpack splunk-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb ...
Unpacking splunk (7.1.1) ...
Setting up splunk (7.1.1) ...
Complete Now lets create the init.d script so that we can easily start and stop Splunk. Change the the Splunk directory and run the splunk executable with the below arguments. # cd /opt/splunk/bin/
# ./splunk enable boot-start Press SPACE to view all of the license agreement and then Y to accept it. And it will ask for password to setup admin dashboard. Once it done, you can see confirmation like below Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot. Start Splunk with the service command. # /etc/init.d/splunk start You will now be able to access Splunk’s web GUI which is running on port 8000. http://YOUR-HOST-IP:8000 Open the URL in the browser and login with the below details: User Name: admin Password: YOURPASSWORD Once you login, you can see follow screen. JOIN Splunk Training . For more Details Click Splunk Online Training Install the Splunk Forwarder The Splunk Universal Forwarder is a small, lightweight daemon which forwards data to your main Splunk server from a variety of sources. Download the Splunk Universal Forwarder .deb file from the Splunk website: https://www.splunk.com/download/universalforwarder Once you agree the agreement, then it will download to your local machine. Once it downloaded, Upload the file to your Ubuntu server and place it a temporary directory. Run the dpkg command to install the Splunk server. The file name of the .deb file may change as new versions are made available so make sure that you have downloaded. # dpkg -i splunkforwarder-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb
Selecting previously unselected package splunkforwarder.
(Reading database ... 65803 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.1-8f0ead9ec3db-linux-2.6-amd64.deb ...
Unpacking splunkforwarder (7.1.1) ...
Setting up splunkforwarder (7.1.1) ...
complete Let’s create the init.d script to start the log forwarder. # cd /opt/splunkforwarder/bin/
# ./splunk enable boot-start Press SPACE to view all of the license agreement and then Y to accept it. You can now start the forwarder daemon using the init.d script. # /etc/init.d/splunk start For now, we have setup the splunk and splunk forwarder. In next post will see how to parse the logs to splunk. Enable Receiving input on the Index Server CLI: # /opt/splunk/bin/splunk enable listen 9997 Where 9997 (default) is the receiving port for Splunk Forwarder connections GUI: Configure the Splunk Index Server to receive data, either in the manager: Settings -> Forwarding and receiving -> configure receiving -> new or via the CLI: Configure Forwarder connection to Index Server: CLI: # /opt/splunkforwarder/bin/splunk add forward-server hostname_or_IP:9997 –auth admin:PASSWORD (where hostname.domain is the fully qualified address or IP of the index server GUI: Settings -> Forwarding and receiving -> configure receiving -> new. Add 9997 Add Data: CLI: # /opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app% Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data This will create a file: inputs.conf in /opt/splunkforwarder/etc/apps/search/local/ — here is some documentation on inputs.conf: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf Note: System logs in /var/log/ are covered in the configuration part of Step 7. If you have application logs in /var/log/*/ Once you added the monitor successfully, you can login to your dashboard and start search the log and index you mentioned on the last command kube..
... View more