====== Splunk Installation ======

==== Install Indexer / Heavy Forwarder ====
<code>
sudo useradd -m -d /opt/splunk -s /bin/bash -U splunk && \
sudo tar xzvf ~/splunk.tgz -C /opt && \
sudo chown -R splunk:splunk /opt/splunk && \
sudo su -c "/opt/splunk/bin/splunk start --accept-license" splunk
</code>

==== Configure Receiver to receive data ====
https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Enableareceiver
<code>
export user=user
export password=password
export port=9997
sudo su -c "/opt/splunk/bin/splunk enable listen ${port} -auth ${user}:${password}" splunk
</code>

==== Set-Up Forwarding ====
https://docs.splunk.com/Documentation/Splunk/9.1.2/Forwarding/Deployaheavyforwarder
<code>
export user=user
export password=password
export host=indexer
export port=9997
sudo su -c "/opt/splunk/bin/splunk enable app SplunkForwarder -auth ${user}:${password}" splunk && \
sudo su -c "/opt/splunk/bin/splunk restart" splunk && \
sudo su -c "splunk add forward-server ${host}:${port} -auth ${user}:${password}" splunk && \
sudo su -c "/opt/splunk/bin/splunk restart" splunk
</code>
==== Forward to more than one destinations ====
/opt/splunk/etc/system/local/outputs.conf
<file text outputs.conf>
[tcpout]
defaultGroup = group1,group2
indexAndForward = 0

[tcpout:group1]
disabled = false
server = receiver1:9997

[tcpout:group2]
disabled = false
server = receiver2:9997
</file>

==== Universal Forwarder ====
<code>
useradd -m -d /opt/splunkforwarder -s /bin/bash -U splunkfwd && \
sudo tar xzvf ~/splunk-forwarder.tgz -C /opt && \
sudo chown -R splunkfwd:splunkfwd /opt/splunkforwarder && \
sudo /opt/splunkforwarder/bin/splunk start --accept-license
</code>

{{tag>kb linux splunk}}