Our blog

How to Install Splunk on Ubuntu in Five Minutes

Using Splunk Statistical Commands: Eventstats and Streamstats by bitsIO

You’ve finally decided to start using the latest version of Splunk (9.0.4.1), but you need to get everything set up on your Ubuntu system. 

Unlike CentOS, installing Splunk on Ubuntu is extremely simple, and you don’t even need to create separate users (as you should with the former distribution). Let’s see how to install Splunk 9.0.4.1 on Ubuntu in just five minutes.

Requirements to Install Splunk 9.0.4.1 on Ubuntu

First things first, you obviously need the latest TLS version of Ubuntu installed on your system for this to work. If you haven’t installed it on your system yet, download Ubuntu and follow this tutorial to get started (you’ll need a USB stick). 

Then, once it’s up and running, follow the steps listed below to get Splunk working on your system and start collecting data.

Open the terminal app on your Ubuntu installation and check whether the architecture of your machine is 32- or 64-bit.

Modern computers all use 64-bit architectures, but if you’re using an older machine, you might be running a 32-bit version. To check your system’s architecture, run the following command in the Ubuntu terminal: [terminal]uname -a[/terminal]

You should get something like this in return:

[terminal]Linux bitsio 5.0.0-32-generic #34-Ubuntu SMP Wed Oct 2 02:06:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux[/terminal]

The x86_64 means that you’re running on a 64-bit machine.

Splunk can run on both 32- and 64-bit, but you have to download the correct file. Head on over to Splunk’s website and click on the “Free Splunk” button on the top right corner of your screen. 

From here, you should enter your personal information and create your own Splunk account in order to download and install the latest version of Splunk Enterprise (free trial).

Once you’re done with that, select the “software download” tab and make sure to accept the Splunk Software License Agreement. You now have your own Splunk account.

You’ll be redirected to the core product page, where you can download either a 60-day free trial or a completely free sample of Splunk. Choose the version that is best suited to your needs (Splunk Free is limited to indexing 500 MB per day) and click on it:

Once you’re through, select the Linux tab and download the .deb package:

download options page for Splunk installation

Alternatively, you can copy and paste the wget command that Splunk provides once you click on the “Download Now” button and run it directly into the command line (do it in the Downloads folder):

useful tools page to download Splunk in Ubuntu with the help of the command line

Done, you’re now ready to install Splunk directly on Ubuntu.

Install Splunk 9.0.4.1 on Ubuntu in 5 Minutes

Installing Splunk 9.0.4.1 on your Ubuntu installation doesn’t take long. There are five steps to follow before you can start using your web interface. 

Each step shouldn’t take more than one minute so follow through and you’ll be ready to go (we’re still on the terminal):

1. Move the .deb file to your /tmp folder

[terminal]mv Splunk 9.0.4.1-1357bef0a7f6-linux-2.6-amd64.deb /tmp cd /tmp[/terminal]

This will move your installation file to the /tmp folder, where you can safely proceed with the Splunk installation. You also change the directory to the /tmp folder.

2. Install Splunk 9.0.4.1 on Ubuntu (any version)

[terminal]sudo dpkg -i splunk-9.0.4.1.0-1357bef0a7f6-linux-2.6-amd64.deb[/terminal]

This will install Splunk on your machine. You can copy and paste the file name onto the terminal (use the ls command). Make sure to include the .deb extension. 

Also, make sure to use the sudo command for superuser privileges. You should see something like this, which means Splunk was installed correctly:


[terminal]Selecting previously unselected package splunk. (Reading database … 159633 files and directories currently installed.) Preparing to unpack Splunk 9.0.4.1.0-1357bef0a7f6-linux-2.6-amd64.deb … Unpacking splunk (8.0.0) … Setting up splunk (8.0.0) … complete[/terminal]

3. Start Splunk at boot, enter administrator username and password (accept license)

[terminal]sudo /opt/splunk/bin/splunk enable boot-start[/terminal]

This command will tell Splunk to start every time your machine boots. You’ll be shown the Splunk Software License Agreement at this point. Go through the entire thing (until you reach 100%) and accept:

[terminal]Do you agree with this license? [y/n]: y[/terminal]

Here’s what you’ll see:

[terminal]This appears to be your first time running this version of Splunk. Splunk software must create an administrator account during startup. Otherwise, you cannot log in. Create credentials for the administrator account. Characters do not appear on the screen when you type in credentials. Please enter an administrator username:[/terminal]

Follow the instructions and choose your username; it can be whatever you want it to be but we suggest using something as simple as your name. Then, you’ll be prompted to set up your password twice. 

Use something that’s not too easy to remember but not too long either and save it in your password manager:

[terminal]Password must contain at least: * 8 total printable ASCII character(s). Please enter a new password: 

Please confirm the new password: [/terminal]

Once you’ve set up your password, the configuration will be complete. Here’s what you should see: 

[terminal]Copying ‘/opt/splunk/etc/openldap/ldap.conf.default’ to ‘/opt/splunk/etc/openldap/ldap.conf’. Generating RSA private key, 2048 bit long modulus …+++++ .+++++ e is 65537 (0x10001) writing RSA key[/terminal] [terminal]Generating RSA private key, 2048 bit long modulus ……………..+++++ ………….+++++ e is 65537 (0x10001) writing RSA key Moving ‘/opt/splunk/share/splunk/search_mrsparkle/modules.new’ to ‘/opt/splunk/share/splunk/search_mrsparkle/modules’. Init script installed at /etc/init.d/splunk. Init script is configured to run at boot.[/terminal]

Now you simply need to start Splunk and you’re ready to go.

4. Start the Splunk service

[terminal]sudo service splunk start[/terminal]

Drum rolls, please… Splunk is ready to go! The last step is getting to the web interface and starting to tinker with your data.

5. Log in to the web interface

Use your favorite browser, type localhost:8000 in the address bar, and you’ll be presented with the Splunk web login interface. If you can’t access the page, restart your computer. Enter the username and password that you set up after accepting the license and boom, you’re in!