Splunk Basics

Introduction

Installation

LogoWhat's in this manual - Splunk Documentation
Documentation if you need it

  1. Create an account

  2. Go to downloads - Since I'm doing this on Debian, I'll get the .deb file

  3. wget the URL (or download normally) then

  4. sudo apt-get install curl (Curl is important)

  5. install it using sudo dpkg -i splunk_package_name.deb

mkdir Splunk
cd Splunk
dpkg -i splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb 
(Reading database ... 40194 files and directories currently installed.)
Preparing to unpack splunk-9.0.4.1-419ad9369127-linux-2.6-amd64.deb ...
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkd is not running.
Unpacking splunk (9.0.4.1) over (9.0.4.1) ...
Setting up splunk (9.0.4.1) ...
complete
root@IDS-SIEM:~/Splunk#

Confirm the installation using root@IDS-SIEM:~/Splunk# dpkg --status splunk

Setting Up

Now that we have Splunk installed, let's set up our credentials and take a look at the basic functionalities. To run the web server, go to /opt/splunk/bin and run ./splunk start

# Read the license agreements
# Set up admin credentials
# Open the IP in your browser

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: admin
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Waiting for web server at http://127.0.0.1:8000 to be available................ Done

If you get stuck, we\'re here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://IDS-SIEM:8000

# Added an alias to my bashrc profile so I can start it with a simple command
root@IDS-SIEM:/opt/splunk/bin$ export "alias start_splunk='/opt/splunk/bin/splunk start'" >> ~/.bashrc

You can now access the web server from your device - I'll make a DNS pointer to it so I don't have to memorise the IP. 

Linux: /etc/hosts
Windows: C:\Windows\System32\drivers\etc

You should be met with this dashboard if you've followed the steps correctly.

Make sure to assign enough disk space to the container - you may need more or less depending on your traffic/activity.

Running Splunk on Reboot

If you are doing this on Proxmox, you might have a situation where you have to restart your cluster or server. To factor for this, I'll be using Cron to start up Splunk whenever the container is launched. You can also set up the containers to run when the cluster is up which will be shown below

Container > Summary > Start on Boot > Check the box

cd /opt/splunk/bin
realpath splunk
/opt/splunk/bin/splunkbash
crontab -e
# Add this to the last line
@reboot /splunk/bin/splunk start >/dev/null 2>&1
# Reboot the container to check if it works

# ALTERNATIVELY - if you aliased the command
@reboot start_splunk >/dev/null 2>&1

Spelunking with Splunk

Interface

Applications Directory

Configure or use your installed applications. We will be using this in the next chapter.

Product Tours

This is where you can go through a short tutorial on how to use Splunk, upload data, and sort out tables etc. Very useful when starting out.

Splunk Apps

This is where you can view the Splunk marketplace for applications.

Dashboard

This is where you can add important monitors that you might want to see when you start up Splunk.

Using Splunk

Loading Data

Filtering Logs

PreviousSplunkNextIntegrating Suricata with Splunk

Last updated