Install Splunk Enterprise on EC2 (Linux) Automation from user data shell


I am looking to fix my batch script :
download splunk package,create a new user, install,setup password for splunk,t
accept license

however it is failing at accept license and splunk edit line

code is below

#This version uses splunker as user # enterpriselist should contain the list of the two indexers
# student@ student@
WGET_CMD="wget -O splunk-6.4.2-00f5bb3fa822-Linux-x86_64.tgz;


 cd /opt
sudo $WGET_CMD
sudo tar -xvzf $INSTALL_FILE
sudo chown -R $SPLUNK_USER:$SPLUNK_USER /opt/splunk
sudo -u $SPLUNK_USER /opt/splunk/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
sudo -u $SPLUNK_USER /opt/splunk/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme
sudo -u $SPLUNK_USER /opt/splunk/bin/splunk restart
sudo /opt/splunk/bin/splunk enable boot-start -user $SPLUNK_USER
echo "In 5 seconds, will run the following script on each remote host:"
echo "===================="
echo "===================="
sleep 5
echo "Reading host logins from $HOSTS_FILE"
echo "Starting."
for DST in `cat "$HOSTS_FILE"`; do
if [ -z "$DST" ]; then
echo "---------------------------"
echo "Installing to $DST"
sudo ssh -t "$DST" "$REMOTE_SCRIPT"
echo "---------------------------"
echo "Done"


Labels (1)
0 Karma


I did not have an issue running your script with a few modifications.
You are downloading 6.4.2 and your install file is labeled 7.2.6. This may be your issue if that is in fact that exact script your running. However, I do not think you would make it past the tar command if that were the case.

There was no l accepting license issue that I ran into.
I tested this on 6.4.2 and 7.2.6 without issue.

My testing was two aws amazon linux boxes that I setup root ssh keys with since your running sudo ssh at the bottom.
I created the student account as well and file permissions looked fine.


Hello Som,

I pasted the wrong line for the download. Yes, I was able to download and install Splunk Ent.
Did the edit password for you?


0 Karma


The password in the 6.4.2 version did work
I did notice that the password did not update for 7.2.6 however

I know splunk changed from admin:changeme to your admin password will be created when splunk is installed. I forget which version, but is that way in 7.x.

So I am thinking if you had written this script for 6.x it will not work the same in 7.x

Here is the documentation for 7.2.6 which is not using the ./splunk edit user command any longer:

And you can see in Splunk 6.4.2 it still was:

I would work towards adopting the new method if you are planning on using 7.x going forward.

It is getting a little late for me to spin up my AWS again, but if you are still stuck by tomorrow I could probably do that and run the commands in the 7.2.6 version to see exactly how to update it.


Thanks and appreciate all your help

0 Karma

Esteemed Legend

You can get more detail by running it as bash -x


What error message do you get?

If this reply helps you, an upvote would be appreciated.