The following is a short guide on how to install Splunk 8.1.x on Centos 8.
We’ll start by downloading the installation binaries from https://www.splunk.com/en_us/download/splunk-enterprise.html#tabs/linux, select the .tgz option as outlined in this screenshot:
You can either download the file (splunk-8.1.*-Linux-x86_64.tgz) to your PC and then move it onto your server or grab the download URL from the browser and then use WGET on your CentOS computer to download it. In my case, the URL to download the file was: https://download.splunk.com/products/splunk/releases/8.1.0/linux/splunk-8.1.0-f57c09e87251-Linux-x86_64.tgz
Once the file is downloaded, move it to an appropriate directory, in my case /home/ and decompress the tar file using the tar command:
tar xvzf splunk-8.1.0-f57c09e87251-Linux-x86_64.tgz
Once done, you’ll have a new folder called ‘splunk’ in your /home directory.
Now, let’s start the Splunk command-line interface (CLI) for the very first time:
cd /home/splunk/bin/ ./splunk start
If you do not want to read the terms, you can also start it by using:
splunk start --accept-license
Now, read through Splunk terms, by holding the enter key:
Until you get to the end of it, then agree with the terms of the free license and type in your desired username and password:
Once done, the Splunk installation will be completed:
As we can see, the Splunk is running on port 8000: http://127.0.0.1:8000 now.
Now, that we have Splunk installed, you can try to access it remotely by opening http://IP-OF-YOUR-SERVER:8000.
If it doesn’t work, make sure you’ve added the port 8000 to your firewall:
firewall-cmd --zone=public --permanent --add-port 8080/tcp
Then you can visit your Splunk installation and login with the previously created credentials at http://IP-OF-YOUR-SERVER:8000
Once logged in, the log files that you want to monitor can be added through the Settings / Data / Data Inputs menu:
For example, if you want to monitor your Apache logs in /var/log/httpd, you can add them here:
You can do the Splunk searches like this one, that shows the hourly bandwidth usage for all status 200 calls that reached the Apache server: