Splunk 安装

• 安装
• 查看
• 常用命令

tar zxvf  <splunk package>-C /opt
/opt/splunk/bin/splunk start --accept-license

/opt/splunk/bin/splunk start enable boot-start

splunk disable boot-start

splunk stop

splunk start

splunk restart

splunk version

rm -rf /opt/splunk

安装splunk Universal Forwarder

tar zxvf  <splunk forward package>-C /opt

/opt/splunkforwarder/bin/splunk start --accept-license

/opt/splunkforwarder/bin/splunk start enable boot-start

splunk set splunkd-port 8070

splunk edit user admin -password ‘admin' -role admin -auth admin:changeme

以下是安装步骤,需要输入账号密码

[root@splunk1 bin]# ./splunk start --accept-license

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: ######
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password:######
Please confirm new password:######
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
..........................................+++++
.........................+++++
e is 65537 (0x10001)
writing RSA key

Generating RSA private key, 2048 bit long modulus
.....................................................................................................................+++++
.+++++
e is 65537 (0x10001)
writing RSA key

Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.

Splunk> CSI: Logfiles.

Checking prerequisites...
	Checking http port [8000]: open
	Checking mgmt port [8089]: open
	Checking appserver port [127.0.0.1:8065]: open
	Checking kvstore port [8191]: open
	Checking configuration... Done.
		Creating: /opt/splunk/var/lib/splunk
		Creating: /opt/splunk/var/run/splunk
		Creating: /opt/splunk/var/run/splunk/appserver/i18n
		Creating: /opt/splunk/var/run/splunk/appserver/modules/static/css
		Creating: /opt/splunk/var/run/splunk/upload
		Creating: /opt/splunk/var/run/splunk/search_telemetry
		Creating: /opt/splunk/var/spool/splunk
		Creating: /opt/splunk/var/spool/dirmoncache
		Creating: /opt/splunk/var/lib/splunk/authDb
		Creating: /opt/splunk/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunk/etc/auth'.
	Checking critical directories...	Done
	Checking indexes...
		Validated: _audit _internal _introspection _metrics _telemetry _thefishbucket history main summary
	Done
	Checking filesystem compatibility...  Done
	Checking conf files for problems...
	Done
	Checking default conf files for edits...
	Validating installed files against hashes from '/opt/splunk/splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64-manifest'
	All installed files intact.
	Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Generating a 2048 bit RSA private key
..........+++++
.............................+++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=rb3pu8d.ptcn.com/O=SplunkUser
Getting CA Private Key
writing RSA key
Done
                                                           [  OK  ]

Waiting for web server at http://127.0.0.1:8000 to be available..... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://splunk1:8000

[root@splunk1 bin]# ./splunk status
splunkd is running (PID: 12634).
splunk helpers are running (PIDs: 12638 12654 12741 12815).
[root@splunk1 bin]# ps -ef|grep -i splunk
root      12634      1  2 23:21 ?        00:00:06 splunkd -p 8089 start
root      12638  12634  0 23:21 ?        00:00:00 [splunkd pid=12634] splunkd -p 8089 start [process-runner]
root      12654  12638  1 23:21 ?        00:00:03 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=200 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --setParameter=oplogFetcherSteadyStateMaxFetcherRestarts=0 --replSet=5C52379B-DC63-4160-935D-EF9D031230E9 --bind_ip=0.0.0.0 --sslMode=requireSSL --sslAllowInvalidHostnames --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx --sslDisabledProtocols=noTLS1_0,noTLS1_1 --sslCipherConfig=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 --nounixsocket --noscripting
root      12741  12638  1 23:21 ?        00:00:02 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root      12815  12638  0 23:21 ?        00:00:01 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore
root      12923  12111  0 23:24 pts/0    00:00:00 grep --color=auto -i splunk

 

来源：https://www.cnblogs.com/tingxin/p/12267249.html