Splunk Tutorial: Install & Configure Splunk Server (Indexer + Search Head + Universal forwarder)

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.

Setup Splunk(Indexer + Search Head) [LICENSE SERVER ]
========================================================
$ sudo-s
$ cd /opt
$ wget -O splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.4.1&product=splunk&filename=splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz&wget=true'
$ tar -zxvf splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz
$ cd splunk
$ cd bin
$ ./splunk start --accept-license 
http://15.206.149.89:8000/
admin/admin123

--------------
1. Settings => Monitoring console => Setting => Forwarder Monitoring Setup => Forwarder Monitoring (ENABLE with 15 mins)
2. Settings => Forwarding and Recieving => Receive data => Add New ==> Listen on this port (For example, 9997 will receive data on TCP port 9997)
3. Restart a Splunk Instance
Settings => Server Controls => Restart Splunk

Setup universal forwarder
========================================================
$ sudo-s
$ cd /opt
$ wget -O splunkforwarder-8.0.4-767223ac207f-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.4&product=universalforwarder&filename=splunkforwarder-8.0.4-767223ac207f-Linux-x86_64.tgz&wget=true'
$ tar -zxvf splunkforwarder-8.0.4-767223ac207f-Linux-x86_64.tgz
$ cd splunkforwarder

# Create this file with some STRUCTURED Content
vi /opt/unitest.csv

name,age,city,skill
devopsschool1,22,hyd1,devops1
devopsschool2,23,hyd2,devops2
devopsschool3,24,hyd3,devops3
devopsschool4,25,hyd4,devops4

Setting up output.conf
$ ./bin/splunk add forward-server 15.206.149.89:9997 --accept-license 
$ ./bin/splunk list forward-server

Setting up input.conf
$ ./bin/splunk list monitor 
$ ./bin/splunk add monitor /opt/unitest.csv
$ ./bin/splunk add monitor /var/log
$ ./bin/splunk list forward-server


$ ./bin/splunk restart
$ ps -eaf | grep splunk
$ ./bin/splunk list forward-server
Code language: PHP (php)

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: