Installing Splunk?

-
Installing Splunk?

  • Navigate to https://www.splunk.com
  • Sign up for a free account on Splunk
  • Login
  • Click on "FREE SPLUNK"
  • Select "Splunk Enterprise"
  • Select the OS on which you want to install.
  • Download the package.




In my case I will in installing it on one of the AWS instance.

So I will be choosing Linux 64 Bit .rpm.

[root@ip ~]# ls -lrt
-rw-r--r-- 1 root root 345022297 Feb 28 07:14 splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm

Here is my file splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm.
  • Create a user called splunk or whatever you want.
  • Change its password.
  • Give it sudo privileges.
  • Install the rpm which we downloaded.
 [splunk@ip opt]$ sudo rpm -ivh splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for splunk:
warning: splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b3cd4420: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:splunk-7.2.4.2-fb30470262e3      ################################# [100%]
complete
[splunk@ip opt]$


Once its installed, go to /opt/splunk/bin and start your splunk daemon.
  • Note: Splunk web works on port number 8000
If you are starting splunk for the first time:
  • It will ask you to accept the license agreement.
  • It will ask you to create a user and set a password for it.
[splunk@ip bin]$ ./splunk start
Splunk> Take the sh out of IT.
Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done [  OK  ]
Waiting for web server at http://127.0.0.1:8000 to be available... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://ip:8000
[splunk@ip bin]$
  • Navigate to your http://YOUR_IP:8000 to login to splunk.







  • Enter the credentials which you created while starting the splunk for the first time.
  • Once your authentication is successful, you will see something like this:

Comments

Post a Comment

Popular posts from this blog

#3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

-
Image
ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel
Read more

#6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

-
FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w
Read more

#1 Splunk sub(Commands) [top, rare, fields, table, rename, sort]

-
Image
TOP: Will show you top results with respect to your field. Example: index=_internal | top limit=5 component RARE: Will help you to find out least common values of a field, i.e. it is similar to TOP but works in opposite direction. Example: index=_internal | rare limit=5 component FIELDS: Will help you to limit your columns, lets say you want to remove count from above table, fields can help you to achieve that. Though there are other usage of fields as well but you will learn slowly and gradually when you start building some complex queries. Example: index=_internal | top limit=5 component | fields component, percent TABLE: Same thing can be achieved via table as well. Example: index=_internal | top limit=5 component | table component, percent RENAME: Lets say you want to rename a column, for that you can use rename command. Example: index=_internal | top limit=5 component | rename percent AS percentage | t
Read more