Splunk 7.x Fundamentals Part 1 (eLearning)
Try Splunk Enterprise free on our cloud platform or download for hybrid and on-prem. Stream, collect and index any type of data safely and securely for IT, Security and DevOps. No credit card required.
First go to splunk.com and click on products. And then go over here to pricing. I think this is the easiest way to make sure you're downloading Splunk free and not a free trial of the enterprise. Click the Command Line (wget) option and copy the link to wordpad or another text editor for later use. Download Splunk Universal Forwarder. The previous steps apply for the Universal Forwarder as well, but you will need to repeat this process for both Linux and Windows versions. Installing Splunk. Splunk Infrastructure Monitoring. Monitor the performance of all your servers, containers and apps in real-time at scale. Access Free 14-Day Trial. Find and fix problems faster with automated and insightful incident management routing, collaboration and reviews.
Splunk 7.x Fundamentals Part 1 (IOD)
Splunk 8.1 Fundamentals Part 1
Setting up AWS
I hope you did your homework on the basics of AWS as I will not be walking you through the entire setup or provisioning of your instances. I will provide the requirements needed for the software to run and the recommended security group settings. If you need additional help on using AWS, I recommend visiting free training provided by Amazon.
Create a VPC
Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet. Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances. I recommend using the following private address
Create two subnets, one for Splunk and one for application servers(data sent to Splunk)
10.0.0.0/24 Will allocate 251 IP addresses
10.0.1.0/24 Will allocate 251 IP addresses
The following requirements are not set forth by Splunk. I chose these configurations based on what will work for a minimal non-data-intesive learning environment. For those of you who may be looking to provision a real enterprise environment, I encourage you to visit the official splunk documentation.
Make sure to assign a Elastic IP address to each instance(This is considered bad practice so only do this for training purposes)
Create 4 Security Groups
|Name||Allow All||Allow 10.0.0.0/16||Allow 'My IP'|
|SH-SG||443||8065, 8089, 8191, 9887||22, 8000|
|IDX-SG||514, 8065, 8089, 9887, 9997||22, 8000|
|Hack Me||All TCP/UDP|
Provision the Following Instances
|Splunk Search Head||Ubuntu||1vCPU + 1 per user||2GB/4GB||8GB/32GB||SH-SG|
|Splunk Indexer||Ubuntu||2vCPU/4vCPU||4GB/8GB||64GB/128GB |
|Splunk Deployment Server||Ubuntu||1vCPU||1GB/2GB||8GB/16GB||DS-SG|
|Application Servers||Windows/Linux||1vCPU||1GB/2GB||30GB||Hack Me|
You can provision as many or as few application servers as you wish.
I've added additional rules than are required for this tutorial
This step requires a Splunk account, so please create one if you haven't already done so. Throughout this tutorial, I will be using the
wget command to download the correct Splunk package for each instance. After logging into Splunk visit the following page (download splunk) to get started. You will need Splunk Enterprise and the Universal Forwarder packages for each desired operating system. I have provided screenshots on how to get the wget link.
At the download homepage click on
Download Free 60-Day Trial
In this tutorial, we are using Ubuntu, a Linux based operating system for our Enterprise instances. Click on Linux and download the
The download will start automatically, you should also have a USEFUL TOOLS option. Click the Command Line (wget) option and copy the link to wordpad or another text editor for later use.
Download Splunk Universal Forwarder
The previous steps apply for the Universal Forwarder as well, but you will need to repeat this process for both Linux and Windows versions. Download Link
It's highly recommended that you update and upgrade your machines before installing Splunk.
It will be assumed you know how to connect to your instance using either a SSH client or Amazon's Web Console. Make sure you allocate a public IP address for easy connection. Also, make sure that the security group is appropriately configured to allow only your IP address to connect via SSH.
Splunk Enterpirse Installation
Splunk Enterprise will need to be installed on every instance except for systems that require a Light or Universal Forwarder. Install the enterprise package on all other systems, including those needing a Heavy Forwarder.
Repeat the above steps for every instance
Splunk Universal Forwarder Installation
How To Install Splunk Free On Linux
Steps are very similar to that of the Enterprise package.
Repeat for each (nix) instance needing a Splunk Forwader
Installing a forwarder on Windows is done using the install wizard.
- Select the advanced option when installing.
- When asked to provide a deployment server and indexer provide the private IP address and use the default port numbers.
- When asked which data you would like to monitor, I would select the ones in which you may find interesting.
- I suggest following the documentation if you need additional help
At this point in the series you should have installed the following components; Search Head, Indexer, Deployment Server/ License Manager, and two universal Forwarders.
To verify your work, login into Splunk Web by pasting the public IP address into the browser including the port number. Usage:
http://$ip_address:8000. If you see this homepage and are able to login that is as far as you need to go for now.
Next Step is configuring
See: Configuring Splunk