Splunk Enterprise Tutorial Getting Started

Splunk Enterprise Tutorial Getting Started

A short and simple guide to getting started with Splunk Enterprise.

This guide is based on version 6.3.2, the latest at the time of this writing.

For this guide we will use CentOS 7.

Download and Installation

Dowload and the splunk and splunkforwarder from the official download page: www.splunk.com/en_us/download/splunk-enterprise.html

For getting started, a two node topology is sufficient. For this guide we will deploy a single instance indexer and a single universal forwarder.

Index Node

On the indexer node install the main splunk rpm.

sudo rpm -Uvh splunk-6.3.2-aaff59bb082c.i386.rpm

Login as the user splunk and create the necessary directories.

sudo su - splunk
mkdir /opt/splunk/var/{log,introspective}

Set PATH.

export PATH=$PATH:/opt/splunk/bin

Enable listener on port 9997/tcp.

splunk enable listen 9997

Start splunk

splunk start

Allow port 8000/tcp through firewalld firewall.

sudo firewall-cmd --add-port=8000/tcp --permanent
sudo firewall-cmd --reload

Visit the web interface at http://[2602:306:371b:96a0:a00:27ff:fe3c:926a]:8000

Forwarder Node

On the forwarder node install the splunkforwarder package.

sudo rpm -Uvh splunkforwarder-6.3.2-aaff59bb082c-linux-2.6-x86_64.rpm