Get hands-on by downloading and installing Splunk on an Ubuntu virtual machine.
- [Instructor] Once your Vagrant box has finished booting you're ready to install Splunk. First you'll need to download it. These instructions may vary a bit as Splunk changes their website, but hopefully it should be pretty similar. First go to splunk.com and click on products. And then go over here to pricing. I think this is the easiest way to make sure you're downloading Splunk free and not a free trial of the enterprise software. Scroll down until you see Splunk Free and click here where it says free download.
Now if you don't already have a Splunk account you'll need to sign up for one here. I already have an account so I'll just log in. Now you can choose your operating system. As I said, I'll be using Linux for this course because it's equally inconvenient for our Windows and Mac users. If you'd like you can try a different operating system, but it won't match exactly with the exercises. So I'll click on Linux. We're running Ubuntu, which means we need a .deb file. So I'll click Download Now.
And when the download comes up I'm actually gonna click cancel and go up here to where it says Download via Command Line. So I'll just copy this text, and then I need to head over to my Vagrant box. So I'll open up a PowerShell window. And I'm in the directory where I downloaded the vagrant file. So I'll type vagrant ssh splunk. And I need to become the root user. So to do that I'll type sudo su -.
And then I can paste that command and hit enter. So it'll take a second to download the file. Now to install the file I'll type dpkg -i and I'll type the word splunk and then just hit tab, and that will autocomplete the rest of the file name and then hit enter. This will install Splunk into /opt/splunk by default. But there are a couple of more setup steps we need to do. So first let's check out our installation, cd /opt and I hit tab /splunk hit tab again, and if I list the files in that directory here's all the things that have installed.
So let's go into the bin directory and I can run ./splunk and the word start. Now this'll take you through the license agreement. I've already reviewed this so I'll just hit the letter q and y and then hit enter. Now it's prompting me for a password and this is the password for the Splunk server itself, not your splunk.com password. So I'm gonna pick an easy one to remember, password. Now you can see here it says waiting for web server, and it says it's running on port 8000.
It does this so that it doesn't interfere with existing processes, like you might be running another web server on port 80. So let's check out this Splunk server. We'll go to our web browser and let me open a new tab. So this is running at 192.168.33.10. That's the IP address that I've hard coded into the Vagrant file. And then we'll wanna use a colon and 8000 for the port number.
And here we are, we're ready to log in. So the log in that we just created was the admin password. So I'll type admin and password. And here we go, our Splunk server is up and running. I'll skip this intro screen. Before we move on there's a couple more things we need to do. We need to set Splunk to start at boot. Let me clear the screen, and the first thing we need to do is run ./splunk enable boot-start.
And that needs to be run from within the opt/splunk/bin directory. And I'll hit enter. Now because Ubuntu uses system D and this is only created in init.d start up file, we'll actually need to run a couple more commands. We'll need to use systemctl enable splunk. And then just for good measure I also like to run systemctl start splunk. And there we go. We should be ready to start using Splunk.
- Installing Splunk
- Filtering search data
- Advanced search syntax
- Creating reports and dashboards
- Creating alerts and actions
- Configuring remote data and multiple data streams