SplunkInstall

Reference

• Documentation: http://splunk.com/r/docs
• Support resources: http://splunk.com/r/support
• Installation guide: http://www.splunk.com/doc/latest/installation

Instructions for installing a splunk server

• Instructions at http://www.splunk.com (see step-by-step: http://www.splunk.com/doc/latest/installation).
• host: uct3-edge6
• /working/splunk
• tar -xvf splunk-2.2-15292-Linux-i686.tar
• See ./README.txt and ./etc/init.d/README
• set SPLUNK_HOME variable to /working/splunk in ./bin/setSplunkEnv and in ./etc/init.d/readhat/splunk script.
• cp ./etc/init.d/redhat/splunk /etc/rc.d/init.d/
• chmod +x
• /sbin/chkconfig --add splunk
• Obtained professional evaluation license from Splunk, /home/rwg/splunk.license (30 days)
• Copied into /working/splunk/etc/splunk.license
• had to go to my account on splunk.com and put in latest license.
• applied patch for XFS filesystems (??)
• ./bin/splunk start

Problems

• Uploading a very large file caused the serve to crash - ticket into splunk support.

Reinstall: 5/1/07

• On uct3-edge6.
• First, shut down existing splunk service: /opt/splunk/bin/splunk stop. Renamed this installation to /opt/splunk-old/.
• Downloaded and unpacked in /opt the latest release: splunk-2.2.3-18173-Linux-i686. See /opt/splunk.
• See ReadmeSplunk223 (April 2007)
• SPLUNK_HOME already set to /opt/splunk in ./bin/setSplunkEnv.
• Copied over liscense: cp ../../splunk-old/etc/splunk.license /opt/splunk/etc/.
• created var sym link to point to /var/log/splunk
• I cleaned up:
  • deleted everything in /var/log/splunk/my_data (it was a temporary cache)
  • moved /var/log/splunk to =/var/log/splunk-old.
  • created /var/log/splunk/var which is empty (initially).
• /opt/splunk/bin/splunk start. See SplunkStartupLog.
• Checking: http://uct3-edge6.uchicago.edu:8000/. admin, changeme. Changed password. Created ddm account.
• http://ddm-log.uchicago.edu:8000/ works.

Reinstall: 6/6/07

• Pendantic
• On uct3-edge6
• Shut down existing splunk service: /opt/splunk/bin/splunk stop. Renamed this installation to /opt/splunk-old2/.
• cd /opt
• wget 'http://www.splunk.com/index.php/download_track?file=/3.0b2/linux32/splunk-3.0b2-19829-Linux-i686.tgz&ac=&wget=true&name=wget'
• =gunzip splunk-3.0b2-19829-Linux-i686.tgz =
• tar -xvf splunk-3.0b2-19829-Linux-i686.tar
• New Splunk now in /opt/splunk.
• SplunkREADME3.0B
• cp ~rwg/splunk.license /opt/splunk/etc/
• ln -s /var/log/splunk/var/ var
• mv /var/log/splunk /var/log/splunk-old2/
• mkdir /var/log/splunk/var
• ./bin/splunk start
• Here is the SplunkStartupLog3b
• Checking: http://uct3-edge6.uchicago.edu:8000/. admin, changeme. Changed password. Created ddm account.
• http://ddm-log.uchicago.edu:8000/ works.

Reinstall: 6/27/07

• [root@uct3-edge6 opt]$ /opt/splunk/bin/splunk stop
• wget 'http://www.splunk.com/index.php/download_track?file=/3.0b3/linux/splunk-3.0b3-20872-Linux-i686.tgz&ac=&wget=true&name=wget'
• ..following the above...
• copied the liscense over from the previous installation.
• mv /var/log/splunk /var/log/splunk-old3/
• mkdir /var/log/splunk/
• mkdir /var/log/splunk/var
• ln -s /var/log/splunk/var/ var (in the /opt/splunk directory)
• ./bin/splunk start
• Checking: http://uct3-edge6.uchicago.edu:8000/. admin, changeme. Changed password. Created ddm account with usual password.