In the last article about Splunk we spoke about the advantages that Splunk offers when working with big data volumes. But let’s say that you want to see & feel like to have Splunk running in your environment, can you start small? Yes, you can, using what is called a Splunk stand alone server, which offers basically all server roles on one machine. You could say it’s an All In One box (AIO).
What do you need to run a Splunk AIO?
All you need to run a Splunk Stand Alone server or AIO is:
- A server running a supported operating system
- The Splunk Enterprise binary for that OS
- For starters, you go to the download page on the Splunk website
- Then you select the right version for your OS (in this case I am using Ubuntu).
- Once this is selected your download will start. Note there will be an option to download via CLI. We take this route and copy this code for later
https://www.splunk.com/en_us/download/splunk-enterprise.html?utm_campaign=google_emea_tier3_en_search_brand&utm_source=google&utm_medium=cpc&utm_content=Splunk_Enterprise_Demo&utm_term=splunk%20download&_bk=splunk%20download&_bt=570870011925&_bm=e&_bn=g&_bg=75654873508&device=c&gclid=Cj0KCQjwkqSlBhDaARIsAFJANkjTmeWJ0npSmErI5KiyEr2p__C1cV7ExXnQdCWIxWZB3PSFdLQIFVAaAoYTEALw_wcB&locale=en_us4. Yours might be different depending on the version or when you read this post exactly.
OK. Now over to our Ubuntu host. You connect via Console or SSH to your *nix based machine.
Once you are connected you execute the wget command above.
ubuntu@ip-172-31-40-4:~$ wget -O splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz "https://download.splunk.com/products/splunk/releases/9.1.0.1/linux/splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz"
--2023-07-09 11:16:23-- https://download.splunk.com/products/splunk/releases/9.1.0.1/linux/splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz
Resolving download.splunk.com (download.splunk.com)... 65.9.55.47, 65.9.55.103, 65.9.55.94, ...
Connecting to download.splunk.com (download.splunk.com)|65.9.55.47|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 602142414 (574M) [binary/octet-stream]
Saving to: ‘splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz’
splunk-9.1.0.1-77f73c9edb85-Linux 100%[===========================================================>] 574.25M 67.1MB/s in 8.4s
2023-07-09 11:16:31 (68.6 MB/s) - ‘splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz’ saved [602142414/602142414]
ubuntu@ip-172-31-40-4:~$ After this step is complete, you change to the root user.
Then you unpack the .tgz package in the opt directory with this command.
tar -xvzf splunk-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz -C /opt/After that, what we need to is create a splunk user, start Splunk, change the ownership of the splunk directory and start the Splunk setup wizard.
#create the splunk user
useradd splunk
#change the ownership of the splunk directory.
chown -R splunk:splunk /opt/splunk/
#to launch the setup
/opt/splunk/bin/splunk startAfter Splunk has been started you will see the license agreement.
SPLUNK GENERAL TERMS
Last Updated: August 12, 2021
These Splunk General Terms ("General Terms") between Splunk Inc., a Delaware
corporation, with its principal place of business at 270 Brannan Street, San
Francisco, California 94107, U.S.A ("Splunk" or "we" or "us" or "our") and you
("Customer" or "you" or "your") apply to the purchase of licenses and
subscriptions for Splunk's Offerings. By clicking on the appropriate button,
or by downloading, installing, accessing or using the Offerings, you agree to
these General Terms. If you are entering into these General Terms on behalf of
Customer, you represent that you have the authority to bind Customer. If you
do not agree to these General Terms, or if you are not authorized to accept
the General Terms on behalf of the Customer, do not download, install, access,
or use any of the Offerings.
See the General Terms Definitions Exhibit attached for definitions of
capitalized terms not defined herein.
1. License Rights
(A) General Rights. You have the nonexclusive, worldwide, nontransferable and
nonsublicensable right, subject to payment of applicable Fees and compliance
with the terms of these General Terms, to use your Purchased Offerings forYou can either scroll all the way to the end or press q to get out of the license agreement. You get prompted with this question:
Do you agree with this license? [y/n]: Pressing y and Enter will get you to the admin user creation screen:
This appears to be your first time running this version of Splunk.
Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.
Please enter an administrator username: You enter the admin user that you want and you enter a password after that. Then you confirm the password and you are all set.
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
..................................................................+++++
.+++++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 2048 bit long modulus
.........................................................................................................+++++
.........................................................................................+++++
e is 65537 (0x10001)
writing RSA key
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Splunk> The Notorious B.I.G. D.A.T.A.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Creating: /opt/splunk/var/lib/splunk
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/appserver/i18n
Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/run/splunk/search_telemetry
Creating: /opt/splunk/var/run/splunk/search_log
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunk/etc/auth'.
Checking critical directories... Done
Checking indexes...
Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-9.1.0.1-77f73c9edb85-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a RSA private key
..............................................................................................+++++
.......+++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=ip-172-31-40-4/O=SplunkUser
Getting CA Private Key
writing RSA key
PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security
Done
Waiting for web server at http://127.0.0.1:8000 to be available...................... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://ip-172-31-40-4:8000If you want splunk to run as the splunk user that we have created you need take one step and that is to enable boot-start for user splunk.
/opt/splunk/bin/splunk enable boot-start -user splunkIf all goes well, the below is the output:
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.Then you type ‘reboot’ and wait for a few minutes.
Try to access the following URL and you should see a Splunk UI screen.
http://<IP where you installed Splunk>:8000And yes, I know, HTTP, but we will cover the enabling of HTTPS in another article.
