How to Install Splunk on CentOS 7

Splunk is one of the most powerful tool for exploring and searching data. It is one of the easiest, faster and secured way to search, analysis, collect and visualize massive data streams in realtime from applications, webservers, databases, server platforms, Cloud networks and many more. The Splunk developers are offering Splunk software packages compatible on different platforms, we can choose the best one which suits our purpose. This software makes it simple to collect, analyze and work upon the un broached value of massive data generated by any IT enterprise, security systems or any business applications, giving you total insights to obtain the best operational performance and business results.

There are no official pre-requisites for the installations, but I recommend a proper hostname, firewall and network configuration for the server prior to the installations. This software supports only 64 bit server architecture. In this article, I'm guiding you on how to install Splunk Enterprise version on a CentOS 7 server. Let's walk through the installation steps one by one.

1. Create a Splunk User

It is always recommended to run this application as its dedicated user rather than as root. I created a user to run this application and created an application folder for the installation.

[root@server1 tmp]# groupadd splunk
[root@server1 tmp]# useradd -d /opt/splunk -m -g splunk splunk
[root@server1 tmp]# su - splunk
[splunk@server1 ~]$ id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)

Confirm the server architecture

[splunk@server1 ~]$ getconf LONG_BIT

2. Download and extract the Splunk Enterprise version

Create a Splunk account and download the Splunk software from their official website here.


Now extract the tar file and copy the files to the Splunk application folder namely /opt/splunk created.

root@server1 tmp]# tar -xvf splunk-6.4.0-f2c836328108-Linux-x86_64.tgz
[root@server1 tmp]# cp -rp splunk/* /opt/splunk/
[root@server1 tmp]# chown -R splunk: /opt/splunk/

3. Splunk Installation

Once the Splunk software is downloaded, you can login to your Splunk user and run the installation script. I choose the trial license, so it will take it by default.

root@server1 tmp]# su - splunk
Last login: Fri Apr 29 08:14:12 UTC 2016 on pts/0

[splunk@server1 ~]$ cd bin/
[splunk@server1 bin]$ ./splunk start --accept-license

This appears to be your first time running this version of Splunk.

Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.

Splunk> Australian for grep.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port []: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Creating: /opt/splunk/var/lib/splunk
Creating: /opt/splunk/var/run/splunk
Creating: /opt/splunk/var/run/splunk/appserver/i18n
Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunk/var/run/splunk/upload
Creating: /opt/splunk/var/spool/splunk
Creating: /opt/splunk/var/spool/dirmoncache
Creating: /opt/splunk/var/lib/splunk/authDb
Creating: /opt/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _thefishbucket history main summary
New certs have been generated in '/opt/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for problems...
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-6.4.0-f2c836328108-linux-2.6-x86_64-manifest'
All installed files intact.
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Generating a 1024 bit RSA private key
writing new private key to 'privKeySecure.pem'
Signature ok
Getting CA Private Key
writing RSA key
[ OK ]

Waiting for web server at to be available.... Done
If you get stuck, we're here to help.
Look for answers here:

The Splunk web interface is at

Now you can access your Splunk Web interface at http://IP:8000/ or http://hostname:8000. You need to make sure this port 8000 is open in your server firewall.

4. Configuring Splunk Web Interface

I've completed with my installation and I've my Splunk Service up & running in my server. Now I need to set-up my Splunk Web interface. I accessed my Splunk web interface and set my administrator password.


First time when you're accessing the Splunk interface, you can use the user/password provided in the page which is admin/changeme in this case. Once logged in, on the very next page it will ask to change and confirm your new password.


Now, you've set your admin password. Once you log in with the new password, you will have your Splunk Dashboard ready to use.


There are different categories listed over in the home page. You can choose the required one and start splunking.

6. Adding a task

I'm adding an example for a simple task which is been added to the Splunk system. Just see my snapshots to understand how I added it. My task is to add /var/log folder to the Splunk system for monitoring.

  1. Open up the Splunk Web interface. Click on the Settings Tab >> Choose the Add Data option
add data

2. The Add Data Tab opens up with three options: Upload, Monitor and Forward. Here our task is to monitor a folder, so we go ahead with Monitor.


In the Monitor option, there are four categories as below:

File & Directories : To monitor files/folders

HTTP Event Collector : Monitor data streams over HTTP

TCP/UDP : Monitor Service ports

Scripts : Monitor Scripts

3. According to our purpose, I choose the Files & Directories option.


4. Now, I'm choosing the exact folder path from the server to monitor. Once you confirm with the settings, you can click Next and Review.


5. Now you can start searching and monitoring the log file as required.


You can just see the logs been narrowed to one of my REDIS application on the server.


This is just a simple example for Splunking, you can add as many tasks to this and explore your server data. I hope this article is informative and useful for you. Thank you for reading this :) I recommend your valuable suggestions and comments on this. Now just try Splunk!!

Enjoy Splunking :)

8 Comments... add one

  1. Great article, this will be helpful for a new Splunk implementation I am working on.

    Do you have any similar write up on a recommended install of CentOS7 in preparation for Splunk? I am looking for some guidance on what type of installation I should use and how to partition my drives appropriately.

  2. Hello,

    the article was really helpful for a new Splunk implementation.

    Just one question from my side as I am using VirtualBox machine and RHEL 7.5

    When I am running following command to enable splunk service to start on boot:
    -bash-4.2$ sudo ./splunk enable boot-start -user konstantinmavrodiev

    [sudo] password for splunk:
    Sorry, try again.

    When I am prompted for password for splunk user, with pass 'splunk' system returned error.

    How can Splunk be enabled to run on start-up?


Leave a Comment