Deployment Architecture

What is the easiest method of starting a new Splunk environment?

GIPO29
Path Finder

What is the easiest method of starting a new Splunk environment? I was suggested to create a virtual machine with my choice of Linux OS, but the installation of Splunk in any Linux suite has been a nightmare. Is there any way to simply create a new instance within my already existing Splunk windows suite?

0 Karma
1 Solution

GIPO29
Path Finder

Thanks, Friends!! I managed to get Splunk running on my VM Linux (Ubuntu). Now ready to tinker! 🙂

Steps I took to install:

-Downloaded Splunk .deb

Once downloaded run> sudo dpkg -i Downloads/"ENTER SPLUNK FILE NAME".deb
First time start up run> /opt/splunk/bin/splunk start
You'll get prompted to Agree To Terms and Set Admin Password

-Once you've set everything up:

To start run> sudo /opt/splunk/bin/splunk start
Wait for output The Splunk web interface is at http://"YOURUSERNAME":8000
Go to output and get to Splunking!

Hope this helps anyone who was having trouble with the regular Docs instructions like me.

View solution in original post

0 Karma

GIPO29
Path Finder

Thanks, Friends!! I managed to get Splunk running on my VM Linux (Ubuntu). Now ready to tinker! 🙂

Steps I took to install:

-Downloaded Splunk .deb

Once downloaded run> sudo dpkg -i Downloads/"ENTER SPLUNK FILE NAME".deb
First time start up run> /opt/splunk/bin/splunk start
You'll get prompted to Agree To Terms and Set Admin Password

-Once you've set everything up:

To start run> sudo /opt/splunk/bin/splunk start
Wait for output The Splunk web interface is at http://"YOURUSERNAME":8000
Go to output and get to Splunking!

Hope this helps anyone who was having trouble with the regular Docs instructions like me.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

MuS
Legend

Just my 2cents on this: if you think installation of Splunk on *nix is a nightmare, you will soon realise that running Splunk on Windows is the much bigger nightmare. The reasons for this can be found in that said answer above ^^^ 😉

cheers, MuS

GIPO29
Path Finder

@MuS after much reading, I came across this as well and will be going forward with the suggested Linux hosting alternate. Thanks for your input!

0 Karma

GIPO29
Path Finder

Thank you @skoelpin!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Running multiple instances of Splunk on a server can be more of a nightmare than learning Linux.
Installing Splunk on a Linux system is usually quite simple. Do you have specific questions about installing Splunk on Linux?

---
If this reply helps you, Karma would be appreciated.

GIPO29
Path Finder

For reasons beyond me- the same commands I used yesterday worked today. Possibly got file allocation mixed up or slight typos in the terminal. Either way, I now have it up and running! Thank you for the offer to help. It is very much appreciated. 🙂

0 Karma

jkat54
SplunkTrust
SplunkTrust

I agree with Rich. I think it’s probably easier to spin up an AWS or Azure Linux server, log in and install as per the docs:

http://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/InstallonLinux

In Azure there is a marketplace splunk that sets up an entire cluster.

In AWS there’s the same thing using cloud formation templates. I wouldn’t say the AWS approach is the easiest.

So I’d go with the Azure splunk offering found here if I just wanted simplicity:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/splunk.splunk-enterprise

GIPO29
Path Finder

Thank you both for the advice! I will give it another shot- as this is the reoccurring suggestion for beginners like myself. Out of curiosity though, how does this work in a professional setting. Let's say if you are a contracted Data Analyst who does reporting on a per basis workflow, constantly working with new companies and new data. Does one constantly clear their Splunk, create new Indexes for each company worked with, etc? I know this is somewhat of an advanced question above my current knowledge base- just very curious on how this is done in practice.

Thank you!

0 Karma

DalJeanis
Legend

@GIPO29 - that's dependent on various things, most especially what you mean by "reporting on a per-basis workflow."

If you mean that a company gives you access to certain data, you ingest, process and analyze it, and then give them reports and recommendations once, then thereafter have no need of the data, then you just create a new index for each company's data and drop the index (or set the data to quickly age and migrate to cold).

On the other hand, if you will have ongoing responsibilities, and if there is a chance you may need to give the client access to look at their data in your splunk instance, then you will want to consider creating a splunk instance specific to that customer.

Either way, you will create and centralize all your reporting and your specialized ingestion routines in one or more apps specific to that client, and use a naming convention so that you always can find it again.

If you want to chat about this further, then join the splunk slack channel, and open a conversation in #general for suggestions.

GIPO29
Path Finder

@DalJeanis Thank you for the insightful answer, Dal! That definitely covers some of my major curiosities. The Slack chat is great, although not always as responsive or interactive as one would like.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...