In this article, we are going to cover, How to Install Splunk on Ubuntu 24.04 LTS or any Cloud Instance like Amazon EC2, Azure VM, Google Compute Engine,etc.
What is Splunk?
Splunk is a powerful platform used for searching, monitoring, and analyzing machine-generated data through a web-style interface. It can ingest and index large volumes of data from various sources, making it highly useful for IT operations, security, business analytics, and other data-driven domains.
Splunk Components:
- Splunk Forwarder
- Splunk Indexer
- Splunk Search Head
Prerequisites
- Ubuntu 24.04 LTS with minimum 2GB RAM and 1 CPU.
- SSH access with sudo privileges
- Firewall Port: 8000
Download and Install Splunk on Ubuntu
Let’s start the hands-on lab to install Splunk on ubuntu 24.04 LTS
Here we are installing and configuring Splunk Enterprise 9.2.2 version. To download latest version, First create account and download Splunk Enterprise Software from Splunk official website.
Choose the installer package, here I’m selecting Linux and download .deb on local machine.
After installation done. Open terminal and run the above highlighted command.
wget -O splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"
Output:
ubuntu@ip-172-31-10-136:~$ wget -O splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb"
--2024-07-26 06:46:31-- https://download.splunk.com/products/splunk/releases/9.3.0/linux/splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb
Resolving download.splunk.com (download.splunk.com)... 54.182.0.70, 54.182.0.104, 54.182.0.119, ...
Connecting to download.splunk.com (download.splunk.com)|54.182.0.70|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 755608332 (721M) [binary/octet-stream]
Saving to: ‘splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb’
splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb 100%[====================================================================================================>] 720.60M 60.9MB/s in 9.5s
2024-07-26 06:46:42 (75.9 MB/s) - ‘splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb’ saved [755608332/755608332]
Install Splunk Enterprise using dpkg command.
sudo dpkg -i splunk-9.3.0-51ccf43db5bd-linux-2.6-amd64.deb
Enable Splunk at system startup.
sudo /opt/splunk/bin/splunk start
After Entering above command, we will have to accept Splunk License Agreement. Scroll down pages by pressing Enter or Spacebar on Keyboard, At the end type y to agree the Splunk License terms.
Type Splunk Login administrator username, password and confirm password as shown below,
Please enter an administrator username: admin
Please enter a new password: ***********
Please confirm new password: ***********
Output:
Do you agree with this license? [y/n]: y
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: ankita
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
..+++++
.........+++++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 2048 bit long modulus
.............................................................................................................+++++
..............................................................................................................................................................+++++
e is 65537 (0x10001)
writing RSA key
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
Start the Splunk Service.
systemctl start splunk
Verify splunk service running status.
systemctl status splunk
Output:
ubuntu@ip-172-31-8-193:~$ sudo systemctl status splunk
● splunk.service - LSB: Start splunk
Loaded: loaded (/etc/init.d/splunk; generated)
Active: active (running) since Tue 2024-07-23 12:17:24 UTC; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 23410 ExecStart=/etc/init.d/splunk start (code=exited, status=0/SUCCESS)
Tasks: 178 (limit: 1130)
Memory: 569.0M (peak: 605.1M)
CPU: 32.662s
CGroup: /system.slice/splunk.service
├─23483 splunkd -p 8089 start
├─23484 "[splunkd pid=23483] splunkd -p 8089 start [process-runner]"
├─23688 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=wiredTiger --wiredTigerCacheSizeGB=0.256000 --port=8191 --timeStampFormat=iso8601-utc --oplogS>
├─23730 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore
├─23732 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py"
├─23733 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py
├─23759 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py"
├─23760 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py
├─23781 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_alerts_ttl_modular_input.py"
├─23784 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_alerts_ttl_modular_input.py
├─23785 /bin/sh -c "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py"
├─23786 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
└─23818 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: All installed files intact.
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: Done
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: All preliminary checks passed.
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: Starting splunk server daemon (splunkd)...
Jul 23 12:16:55 ip-172-31-8-193 splunk[23411]: Done
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: Waiting for web server at http://127.0.0.1:8000 to be available.......................... Done
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: If you get stuck, we're here to help.
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: Look for answers here: http://docs.splunk.com
Jul 23 12:17:24 ip-172-31-8-193 splunk[23411]: The Splunk web interface is at http://ip-172-31-8-193:8000
Jul 23 12:17:24 ip-172-31-8-193 systemd[1]: Started splunk.service - LSB: Start splunk.
Now, Open web browser to access splunk web interface. As above mentioned we have to open firewall port 8000.
http://server_name:8000
Now you able to see the Splunk login screen. Enter your Splunk admin credentials.
.Uninstall/Remove Splunk Enterprise completely in Ubuntu.
There are two ways to uninstall/remove splunk in ubuntu.
1. Uninstall/Remove Splunk Enterprise using package management utilities
If we configured splunk enterprise at system startup, first remove it from boot scripts before uninstalling using below commands.
Navigate to Splunk_Home directory /opt/splunk/bin and disable it.
sudo ./splunk disable boot-start
Output:
/opt/splunk/bin$ sudo ./splunk disable boot-start
Disabled.
once disabled, then stop splunk service.
sudo ./splunk stop
Output:
cd /opt/splunk/bin/
sudo ./splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..
Stopping splunk helpers...
Done.
Remove all splunk configuration file.
sudo dpkg -r splunk
2. Uninstall/Remove Splunk Enterprise Manually
Alternative way to uninstall splunk from ubuntu.
Stop splunk service.
sudo ./splunk stop
Output:
cd /opt/splunk/bin/
sudo ./splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..
Stopping splunk helpers...
Done.
Kill the splunk process if running any.
sudo kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
Remove the Splunk Enterprise Installation directory.
sudo rm -rf /opt/splunk
Delete the splunk system user and group.
sudo userdel splunk
sudo groupdel splunk
Conclusion
In this article, we have Execute How to install Splunk on Ubuntu 24.04 LTS system. Mentioned to uninstall/remove Splunk enterprise completely from ubuntu using package management utilities and manually.
Related Articles: