How to Install Splunk on Ubuntu 24.04 LTS

In this article, we are going to cover, How to Install Splunk on Ubuntu 24.04 LTS or any Cloud Instance like Amazon EC2, Azure VM, Google Compute Engine,etc.

What is Splunk?

Splunk is a powerful platform used for searching, monitoring, and analyzing machine-generated data through a web-style interface. It can ingest and index large volumes of data from various sources, making it highly useful for IT operations, security, business analytics, and other data-driven domains.

Splunk Components:

  • Splunk Forwarder
  • Splunk Indexer
  • Splunk Search Head

Prerequisites

  • Ubuntu 24.04 LTS with minimum 2GB RAM and 1 CPU.
  • SSH access with sudo privileges
  • Firewall Port: 8000

Download and Install Splunk on Ubuntu

Let’s start the hands-on lab to install Splunk on ubuntu 24.04 LTS

Here we are installing and configuring Splunk Enterprise 9.2.2 version. To download latest version, First create account and download Splunk Enterprise Software from Splunk official website.

How to Install Splunk on Ubuntu 24.04 LTS 1

Choose the installer package, here I’m selecting Linux and download .deb on local machine.

How to Install Splunk on Ubuntu 24.04 LTS 2

After installation done. Open terminal and run the above highlighted command.

wget -O splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"

Output:

ubuntu@ip-172-31-10-136:~$ wget -O splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"
--2024-07-26 06:46:31--  https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb
Resolving download.splunk.com (download.splunk.com)... 54.182.0.70, 54.182.0.104, 54.182.0.119, ...
Connecting to download.splunk.com (download.splunk.com)|54.182.0.70|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 755608332 (721M) [binary/octet-stream]
Saving to: ‘splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb’

splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb   100%[====================================================================================================>] 720.60M  60.9MB/s    in 9.5s

2024-07-26 06:46:42 (75.9 MB/s) - ‘splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb’ saved [755608332/755608332]

Install Splunk Enterprise using dpkg command.

sudo dpkg -i splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb

Enable Splunk at system startup.

sudo /opt/splunk/bin/splunk start

After Entering above command, we will have to accept Splunk License Agreement. Scroll down pages by pressing Enter or Spacebar on Keyboard, At the end type to agree the Splunk License terms.

Type Splunk Login administrator usernamepassword and confirm password as shown below,

Please enter an administrator username: admin
Please enter a new password: ***********
Please confirm new password: ***********

Output:

Do you agree with this license? [y/n]: y

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: ankita
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
..+++++
.........+++++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
.............................................................................................................+++++
..............................................................................................................................................................+++++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

Start the Splunk Service.

systemctl start splunk

Verify splunk service running status.

 systemctl status splunk

Output:

ubuntu@ip-172-31-8-193:~$ sudo systemctl status splunk
● splunk.service - LSB: Start splunk
     Loaded: loaded (/etc/init.d/splunk; generated)
     Active: active (running) since Tue 2024-07-23 12:17:24 UTC; 5s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 23410 ExecStart=/etc/init.d/splunk start (code=exited, status=0/SUCCESS)
      Tasks: 178 (limit: 1130)
     Memory: 569.0M (peak: 605.1M)
        CPU: 32.662s
     CGroup: /system.slice/splunk.service
             ├─23483 splunkd -p 8089 start
             ├─23484 "[splunkd pid=23483] splunkd -p 8089 start [process-runner]"
             ├─23688 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=wiredTiger --wiredTigerCacheSizeGB=0.256000 --port=8191 --timeStampFormat=iso8601-utc --oplogS>
             ├─23730 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore
             ├─23732 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py"
             ├─23733 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py
             ├─23759 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py"
             ├─23760 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py
             ├─23781 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_alerts_ttl_modular_input.py"
             ├─23784 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_alerts_ttl_modular_input.py
             ├─23785 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py"
             ├─23786 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
             └─23818 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000

Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]:         All installed files intact.
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]:         Done
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: All preliminary checks passed.
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: Starting splunk server daemon (splunkd)...
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: Done
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: Waiting for web server at http://127.0.0.1:8000 to be available.......................... Done
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: If you get stuck, we're here to help.
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: Look for answers here: http://docs.splunk.com
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: The Splunk web interface is at http://ip-172-31-8-193:8000
Jul 23 12:17:24 ip-172-31-8-193 systemd[1]: Started splunk.service - LSB: Start splunk.

Now, Open web browser to access splunk web interface.  As above mentioned we have to open firewall port 8000.

http://server_name:8000

Now you able to see the Splunk login screen. Enter your Splunk admin credentials.

How to Install Splunk on Ubuntu 24.04 LTS 3

.Uninstall/Remove Splunk Enterprise completely in Ubuntu.

There are two ways to uninstall/remove splunk in ubuntu.

1. Uninstall/Remove Splunk Enterprise using package management utilities

If we configured splunk enterprise at system startup, first remove it from boot scripts before uninstalling using below commands.

Navigate to Splunk_Home directory /opt/splunk/bin and disable it.

sudo ./splunk disable boot-start

Output:

/opt/splunk/bin$ sudo ./splunk disable boot-start

Disabled.

once disabled, then stop splunk service.

sudo ./splunk stop

Output:

cd /opt/splunk/bin/

sudo ./splunk stop

Stopping splunkd...

Shutting down.  Please wait, as this may take a few minutes.

..

Stopping splunk helpers...

Done.

Remove all splunk configuration file.

sudo dpkg -r splunk

2. Uninstall/Remove Splunk Enterprise Manually

Alternative way to uninstall splunk from ubuntu.

Stop splunk service.

sudo ./splunk stop

Output:

cd /opt/splunk/bin/

sudo ./splunk stop

Stopping splunkd...

Shutting down.  Please wait, as this may take a few minutes.

..

Stopping splunk helpers...

Done.

Kill the splunk process if running any.

sudo kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

Remove the Splunk Enterprise Installation directory.

sudo rm -rf /opt/splunk

Delete the splunk system user and group.

sudo userdel splunk

sudo groupdel splunk

Conclusion

In this article, we have Execute How to install Splunk on Ubuntu 24.04 LTS system. Mentioned to uninstall/remove Splunk enterprise completely from ubuntu using package management utilities and manually.

Related Articles:

How to Install Splunk on Ubuntu 18.04/16.04 LTS

Ankita Lunawat

Working as DevOps Intern likes to share Knowledge.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap