Installing Splunk on Hadoop

Tar file install

To install Splunk Enterprise on a Linux system, expand the tar file into an appropriate directory using the tar command:
tar xvzf splunk_package_name.tgz
The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /opt
Note: When you install Splunk Enterprise with a tar file:
  • Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tar file in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem.
  • Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing.
  • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

RedHat RPM install

Ensure that the desired splunk build rpm package is available locally on the target server. Verify that the file is readable and executable by the the Splunk user. If needed change access:
 
chmod 744 splunk_package_name.rpm
To install the Splunk RPM in the default directory /opt/splunk:
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the --prefix flag:
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
Note: Installing with rpm in a non-default directory is not recommended, as RPM offers no safety net at time of upgrade, if --prefix does not agree then the upgrade will go awry.
To upgrade an existing Splunk Enterprise installation that resides in /opt/splunk using the RPM:
rpm -U splunk_package_name.rpm
Note: Upgrading rpms is upgrading the rpm package, not upgrading Splunk Enterprise. In other words, rpm upgrades can only be done when using the rpm in the past. There is no smooth transition from tar installs to rpm installs. This is not a Splunk issue, but a fundamental packaging issue.
To upgrade an existing Splunk Enterprise installation that was done in a different directory, use the --prefix flag:
rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm
Note: If you do not specify with --prefix for your existing directory, rpm will install in the default location of /opt/splunk.
For example, to upgrade to the existing directory of $SPLUNK_HOME=/opt/apps/splunk enter the following:
rpm -U --prefix=/opt/apps splunk_package_name.rpm
To Replace an existing Splunk Enterprise installation
rpm -i --replacepkgs --prefix=/splunkdirectory/ splunk_package_name.rpm
If you want to automate your RPM install with kickstart, add the following to your kickstart file:
./splunk start --accept-license
./splunk enable boot-start 
Note: The second line is optional for the kickstart file.
Enable Splunk Enterprise to start the system at boot by adding it to /etc/init.d/ Run this command as root or sudo and specify the user that Splunk Enterprise should run as.
./splunk enable boot-start -user splunkuser

Debian DEB install

To install the Splunk DEB package:
dpkg -i splunk_package_name.deb
Note: You can only install the Splunk DEB package in the default location, /opt/splunk.


What gets installed

Splunk package status:
dpkg --status splunk
List all packages:
dpkg --list

Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk Enterprise as a non-root user for more information.
To start Splunk Enterprise from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):
 ./splunk start
By convention, this document uses:
  • $SPLUNK_HOME to identify the path to your Splunk Enterprise installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:
 $SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.

Launch Splunk Web and log in

After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port.
  • hostname is the host machine.
  • port is the port you specified during the installation (the default port is 8000).
""Note:"" Navigate to HTTP the first time you access Splunk.
2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

How do I switch to Splunk Free?

If you currently have Splunk Enterprise (trial or not), you can either wait for your Enterprise license to expire, or switch to a Free license at any time. To switch to a Free License:
1. Log in to Splunk Web as a user with admin privileges and navigate to Settings > Licensing.
2. Click Change license group at the top of the page.
ChangeLicenseGroup60.png
3. Select Free license and click Save.
4. You are prompted to restart.

1 comment: