Wednesday, June 17, 2009

Splunk on Ubuntu

Splunk is a search technology that can be used to analyse enterprise data such as logs from security devices and even pcap files. I've heard a lot about it and decided to evaluate the enterprise edition.
Reading their FAQ and documentation, it is pretty obvious that Splunk is Windows centric. Installing Splunk on Ubuntu was a headache and that's why I decided to document the installation process and getting started with Splunk.

1) Download Splunk (Debian package).
2) Install Splunk in Ubuntu. Splunk will be installed and located in /opt/.
3) Create a file called "splunk.license" on your desktop*. Cut and paste your evaluation license key from Splunk's website into this file. Move the file from your desktop to /opt/splunk/etc/.
4) Start Splunk from the terminal window by entering "sudo ./opt/splunk/bin/splunk restart". Acknowledge the license agreement by entering "Y".
5) Splunk will start and can be accessed via your browser at "http://localhost:8000". The username is "admin" and initial password is "changeme".

You are good to go!!!

* Turns out that you can skip this step by downloading your splunk.license file from the Splunk website after logging to your account and accessing the licensing section.


  1. Thanks for checking out Splunk.

    The great thing about Splunk docs is you can help us to make them better! We’ve built them in Mediawiki, and Splunk users can edit the content. Check out these instructions: and feel free to make edits.

    One item to note, your step around creating the splunk.license file is not required. You can easily apply the license from the admin interface. Also if you are not interested in the enterprise features you can bypass the license step entirely.

    I also want to note that we love all operating systems! We were born in Linux -- debuted at Linux World in 2005, and most of our customers are Unix shops. Check out which allow users to get more information out of *nix specific systems/applications. We do make some Windows specific pages in the docs and have Windows only data inputs (monitoring Event Viewer and WMI), but that’s probably because Redmond doesn't want to do things the way the rest of us are doing them. ;)

    Splunk is available on a bunch of different OS, and you can find install docs here:

    Again, feel free to make edits to the wiki, and shoot an email to if you run into any issues.

  2. I was following your instructions listed on your site. After following your instructions, I noticed that I could just download the splunk.license file from your website after I had logged into my account.
    Thanks for the tips.