The ABCs of Splunk Part Two: How to Install Splunk on Linux

In our previous blog, we discussed how to choose between a single or clustered environment. You can read our first blog here!

In this blog, I will guide you through the proper installation of Splunk, assuming that you have chosen Linux as your operating system. 

One of the first things to consider for a secure installation, is to install Splunk under a dedicated Splunk user account instead of using the root account. This is a defense-in-depth measure: if an attacker manages to compromise the Splunk instance and gain access to the underlying operating system, it is preferable that Splunk (and the attacker) does not have administrative privileges. By doing this, even if Splunk is attacked, it will not be able to move laterally through your entire network.

Please follow the instructions below in sequence:

Step 1: Create a Splunk User and Group

First, we need to create a separate user for Splunk and add a group for that user.

groupadd splunk

useradd -d /opt/splunk -m -g splunk splunk 

Step 2: Obtain the Latest Splunk Download Link

If you need an older version, click on the “Older Releases” link. However, it is recommended to use the latest version for security reasons unless there is a specific need.

  • Once you click download, the Splunk file will start downloading in your browser.
  • On the newly opened page, you will see a link for useful tools. Select “Download via Command Line (wget)” to get the URL.
  • Select and copy the full wget link.

Step 3: Download and Extract Splunk on the Linux Machine

  • Go to /opt drive (this is the usual location for Splunk installation, but you can choose a different location if desired). Use the command:

    cd /opt

  • Download Splunk by running the command you copied from Step 2.
  • Verify that the file has been downloaded by running:

    ls –l

  • Extract Splunk using the command:

    tar –xvzf <splunk-file-dowwnload>

Step 4: Change the File Ownership to Splunk User

Run the following command to change the ownership of the Splunk files to the Splunk user:

chown –R splunk:splunk /opt/splunk 

Step 5: Switch to the Splunk User and Run Commands

Switch to the Splunk user account by running:

su splunk

From this point onward, run all the subsequent commands as the Splunk user instead of the root user.

Step 6: Start Splunk

To start Splunk, run the following command:

/opt/splunk/bin/splunk start --accept-license

During this step, you will be asked to create a new admin account for Splunk and set a password.

Step 7: Access Splunk through the Web UI

Open your preferred web browser and go to the following URL:


You will now be able to use Splunk through the web interface. Use the username and password you created in Step 6 when starting Splunk.

I hope this installation process works well for you. If you encounter any issues, please feel free to reach out to us!

In the next blog, we will discuss storage, indexes, and buckets, which can be more challenging. In my opinion, many Splunk installations suffer from common misconfigurations related to storage, buckets, and indexes, which can result in slow performance or even complete system inoperability.

Have questions about Splunk installation? 

Sign Up Now!

For exclusive news, information, and Events!

By submitting this form, you are consenting to receive marketing emails from: CrossRealms International. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact