Each instance of Splunk that does any indexing must have its own license. 1. Stop Splunk: ./splunk stop 2. C opy opy $SPLUNK_HOME /etc/splunk-forwarder.license /etc/splunk-forwarder.licenseto to $SPLUNK_HOME/etc/splunk.license 3. Start Splunk: ./splunk start T his his license does not limit how much data you can forward from that machine. T o install or update your license using the CLI : 1. C reate reate a new file named splunk.license named splunk.license.. 2. C opy opy your new license key and paste it into splunk.license. splunk.license. 3. M ove ove your license file, splunk.license, splunk.license, into the $SPLUNK_HOME /etc/ directory: mvsplunk.license $SPLUNK_HOME/etc/ features that are available with the En Enterprise terprise lice licen nse are disable isabled: d: ultiple user accounts and role-based access controls M ultiple Distributed search Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances) Deployment management (including for clients) Scheduled saved searches (including summary indexing) and alerting / monitoring monitoring splunk set datastore-dir /var/splunk/ ost:8000.. O pen a Web browser and navigate to http://localhost:8000 T o change the splunk web service port: From the %SPLUNK_HOME %\bin directory: splunk set web-port #### T o change the splunkd port: From the %SPLUNK_HOME %\bin directory: splunk set splunkd-port #### Linux Install on Li To install t he Splunk RPM in the default directory /opt/splunk: rpm -i splunk _ package package _ name.rpm name.rpm To install Splunk in a different directory, use the --prefix flag: rpm -i --prefix=/opt/new --prefix=/opt/new _ directorysplunk directorysplunk _ package package _ name.rpm name.rpm To upgrade an existing Splunk installation using the RPM: rpm -U splunk _ package package _ name.rpm name.rpm To upgrade an existing Splunk installation that was done in a different directory, use the --prefix flag: rpm -U --prefix=/opt/new _ directorysplunk directorysplunk _ package package _ name.rpm name.rpm If you want to automate your R PM install with kickstart, add the following to your kickstart file: file: ./splunk start --accept-license --accept-license ./splunk enable boot-start y y
y y
y
Note: The
second line is optional for t he kickstart file. Debian DEB install To install t he Splunk DEB package: dpkg -i splunk _ package _ name.deb To uninstall from RedHat Linux rpm -e splunk _ product _ name Debian Linux To uninstall from Debian Linux: dpkg -r splunk pkgadd -d ./splunk _ product _ name.pkg pkgadd -n -d ./splunk _ product _ name.pkg System configurations From the System configurations area, you can manage: System settings: M anage system settings including ports, host name, index path, email server settings (for alerts), and system logging. Server controls: Restart Splunk. License: View license usage statistics and apply a new license. Data inputs: Add data to Splunk from scripts, files, directories, and network ports. Forwarding and receiving: C onfigure this Splunk instance to send or receive data. I ndexes: C reate new indexes and manage index size preferences. Access controls: Specify authentication method (Splunk or LDAP ), create or modify users, and manage roles. Distributed search: Set up distributed search across multiple Splunk instances. Deployment: Deploy and manage configuration settings across multiple Splunk instances. User options: M anage user settings, including passwords and email addresses. Apps and knowledge From the Apps and knowledge area, you can manage: Apps: Edit permissions for installed apps, create new apps, or browse Splunkbase for apps created by the community. Searches and reports: View, edit, and set permissions on searches and reports. Set up alerts and summary indexing. Event types: View, edit, and set permissions on event types. T ags: M anage tags on field values. Fields: View, edit, and set permissions on field extractions. Define event workflow actions and field aliases. Rename sourcetypes. Lookups: C onfigure lookup tables and lookups. User interface: C reate and edit views, dashboards, and navigation menus. Advanced search: C reate and edit search macros. Set permissions on search commands. All configurations: See all configurations across all apps. y y y y y
y y y
y y
y y y y
Important:
Do not edit the default copy of any conf file in
$SPLUNK_HOME /etc/system/default/. M ake a copy of the file in $SPLUNK_HOME /etc/system/local/ or $SPLUNK_HOME /etc/apps/
/local and edit that copy. File P urpose admon.conf-- C onfigure Windows active directory monitoring. alert_actions.conf C ustomize Splunk's global alerting actions. app.conf C onfigure your custom app. audit.conf C onfigure auditing and event hashing. authentication.conf-- T oggle between Splunk's built-in authentication or LDAP , and configure LDAP . authorize.conf-- C onfigure roles, including granular access controls. commands.conf C onnect search commands to any custom search script. crawl.conf C onfigure crawl to find new data sources.
default.meta.conf A template file for use in creating app-specific default.meta files. deploymentclient.conf Specify behavior for clients of the deployment server. distsearch.conf Specify behavior for distributed search. eventdiscoverer.conf Set terms to ignore for typelearner (event discovery). event_renderers.conf C onfigure event-rendering properties. eventtypes.conf--- C reate event type definitions. fields.conf C reate multivalue fields and add search capability for indexed fields. indexes.conf-- M anage and configure index settings. inputs.conf-- Set up data inputs. limits.conf-- Set various limits (such as maximum result size or concurrent real-time searches) for search commands. literals.conf C ustomize the text, such as search error strings, displayed in Splunk Web. macros.conf Define search language macros. multikv.conf C onfigure extraction rules for table-like events (ps, netstat, ls). outputs.conf-- Set up forwarding, routing, cloning and data balancing . pdf_server.conf C onfigure the Splunkpdf server. procmon-filters.conf M onitor Windows process data. props.conf Set indexing property configurations, including timezone offset, custom sourcetype rules, and pattern collision priorities. Also, map transforms to event properties. pubsub.conf-- Define a custom client of the deployment server. regmon-filters.conf C reate filters for Windows registry monitoring. report_server.conf C onfigure the report server. restmap.conf C onfigure RES T endpoints. savedsearches.conf Define saved searches and their associated schedules and alerts. searchbnf.conf C onfigure the search assistant. segmenters.conf C ustomize segmentation rules for indexed events. server.conf Enable -- SS L for Splunk's back-end and specify certification locations. serverclass.conf Define deployment server classes for use with deployment server. serverclass.seed.xml.conf C onfigure how to seed a deployment client with apps at start-up time. source-classifier.conf T erms to ignore (such as sensitive data) when creating a sourcetype. sourcetypes.conf M achine-generated file that stores sourcetype learning rules created by sourcetype training. sysmon.conf Set up Windows registry monitoring. tags.conf C onfigure tags for fields. tenants.conf C onfigure deployments in multi-tenant environments. times.conf Define custom time ranges for use in the Search app. transactiontypes.conf Add additional transaction types for transaction search. transforms.conf C onfigure regex transformations to perform on data inputs. Use in tandem withprops.conf. user-seed.conf Set a default user and password. web.conf -- C onfigure Splunk Web, enable HTTP S. wmi.conf Set up Windows management instrumentation (W M I ) inputs. workflow_actions.conf-- C onfigure workflow actions.
