February 11, 2009

Performing the Initial Splunk Configurations

Installing Splunk Part 3 of 5

Now that the Linux operating system is installed
it is time to install the latest instance of Splunk. Since
we have chosen SuSe for our operating system we are going to use the splunk rpm distribution
from the site. Splunk can be obtained for free by signing
up at www.splunk.com. Using
a non-licensed version of Splunk will limit some of the key features, specifically
authentication will not work, which is the biggest part and the amount of data that
can be fed into Splunk will also be limited. For the purpose
of this post we are going to assume that you have a license for Splunk. Some
of the configurations that are going to be setup will be specific to a licensed copy
of Splunk. If you are just using a free copy then just
ignore the aspects of the configuration that will not apply to you.


One of the nice things about Splunk is their support
for wget. Once you click to download they will provide
you the wget command and url setup for you to copy and paste. Here
is a screen shot of me performing the wget from my test server:



Once the solution is downloaded move it to the /opt
directory of your new Splunk server. Start the installation
by running:


–i lt;splunk-package-name.rpmgt;


At this point Splunk suggests exporting Splunk’s
path to your profile. Personally, I do it immediately. There
are too many times when configuring and debugging that you will start, stop, or restart
Splunk in the process of the deployment and use. If you
aren’t familiar with doing this here it is:



Then insert the following entries:




You can test the profile changes by then running
the command:




The results should be:

is not running.

splunkweb is not running.


Again we are assuming that you are using a licensed
version of Splunk. With that ssid the next step is to
place the license file into your Splunk instance. You
should have received your Splunk license via email. I
typically sftp the license to the Splunk server and then move it once I am on the


To move the license where it needs to go use the
following commands:



where the username is the account that you used
to sftp the file to the server.

splunk.license /opt/splunk/etc/splunk.license


Now that we have a license file in place we want
to make sure that we have Splunk setup for an ssl login connection. We
are going to copy a config file over and then edit it to meet our needs. Just
use the following commands and examples to accomplish an ssl deployment of Splunk.



default/web.conf local/web.conf

splunk:splunk local/web.conf

+w local/web.conf



Now that we are editing the web.conf file we are
going to make several changes:


Change the default port that the server
is listening on


Enable ssl

The settings that we will change are:




= 443



= false


= true


Below you can see what this looks like.



At this point we are
going to start Splunk and login with the default account so that we can test our server. The
first step is to start the splunk processes which include:







Run the command:




When Splunk starts for the first time you are presented
with the license and agreement, which must be accepted in order to continue using
the solution. Once it is complete you can run the command
“splunk status” to see the three processes running each with their own PID.

The first thing that will happen is that you will
get a certificate error from the browser. This is caused
by Splunk using its own self signed certificate. This
can be changed but is a more advanced topic that is outside the scope of a simple
installation. Finally you will be presented with the Splunk
login page. The default account information is:


User: admin

Password: changeme


The very first thing should be to change the password
to one that meets the requirements of your organization. To
do this in the top right hand corner of the page select Admin-gt; Users.


The only use that is present is admin. On
the right side next to admin select edit.


Just change the password and select save afterwards.Then
logout and log back in with the new password.


Finally go back into the command line and enter:

splunk stop

splunk enable boot-start

splunk start


Running these commands will set Splunk up to always
start when the server is rebooted and will ensure that you maintain maximum uptime.


With that said you have a Splunk server installed. It
is still not ready for any data as we will need to perform more configurations prior
to having it ready to consume data. In the next part of
this blog I will discuss some of the considerations that must go into the deployment
strategy and how to accomplish things like distributed search amongst multiple Splunk
servers and how to deal with remote office and time zones.