什么是 Splunk Enterprise？

Splunk Enterprise 是一款软件产品，可让我们搜索、分析和可视化从 IT 基础架构或者业务的组件收集的数据。
Splunk Enterprise 从网站、应用程序、传感器、设备等接收数据。
定义数据源后，Splunk Enterprise 会索引数据流并将其解析为一系列我们可以查看和搜索的单个事件。

要管理 Splunk Enterprise 部署、管理和创建知识对象、运行搜索、创建透视和报告等，我们可以使用 Web 浏览器，也可以使用命令行界面。

在本教程中，我们将介绍如何在 Ubuntu 16.04 LTS 或者 Ubuntu 18.04 LTS 服务器上安装免费版 Splunk Enterprise。

创建 Splunk 帐户并从此处的官方网站下载 Splunk Enterprise 软件

使用以下命令下载 Splunk 包并将其放置在 /tmp 目录中

jack@onitroad:/tmp# wget -O splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.1.2&product=splunk&filename=splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz&wget=true'

下载Splunk软件后，我们解压到/opt目录下：

jack@onitroad:/tmp# tar -xzvf splunk-7.1.2-a0c72a66db66-Linux-x86_64.tgz -C /opt

执行以下命令启动 Splunk，系统会提示我们接受许可协议并输入管理员帐户密码：

jack@onitroad:~# cd /opt/splunk/bin/
jack@onitroad:/opt/splunk/bin# ./splunk start
[...]
Splunk Software License Agreement 04.24.2015
Do you agree with this license? [y/n]:
This appears to be your first time running this version of Splunk.
Create credentials for the administrator account.
Characters do not appear on the screen when you type the password.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to '/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
.........................+++
..................................................+++
e is 65537 (0x10001)
writing RSA key
Generating RSA private key, 2048 bit long modulus
..............................................................+++
.....................+++
e is 65537 (0x10001)
writing RSA key
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
Splunk> Finding your faults, just like mom.
Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
                Creating: /opt/splunk/var/lib/splunk
Done

Waiting for web server at http://127.0.0.1:8000 to be available.................... Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://ylclspkas01.onitroad.local:8000

如果要在启动时运行 Splunk，则必须执行以下命令：

jack@onitroad:/opt/splunk/bin# ./splunk enable boot-start
splunkd 3160 was not running.
Stopping splunk helpers...
Done.
Stopped helpers.
Removing stale pid file... done.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.

最后，我们可以使用默认用户 admin 在 http://Server-IP:8000/或者 http://Server-hostname:8000 访问 Splunk Web 界面。
在我们忘记之前，请确保在服务器防火墙上打开了端口 8000。