Getting Started

Installing Splunk

Three platforms, three commands, one running instance.

10 min Beginner

Splunk Enterprise runs on every major OS. Pick your platform, run the install command, and you’ll have a server listening on port 8000 within a few minutes.

Choose your platform #

The fastest path on macOS is Homebrew. If you don’t have Homebrew yet, install it first .

install.sh 
brew install --cask splunk-enterprise
sudo /Applications/Splunk/bin/splunk start --accept-license

When the prompt asks for an admin username and password, choose something memorable — you’ll be using it constantly.

Verify it’s running #

Open a terminal and run:

bash
curl -s -k https://localhost:8000 -o /dev/null -w "%{http_code}\n" 200 splunk status splunkd is running (PID: 12345).

If you see 200, you’re good. If not, the next callout has the most common fixes.

Port 8000 already in use?

If you’re running another web server on :8000, Splunk will fail to start silently. Either stop the other service or restart Splunk on a different port:

bash 
splunk set web-port 8001
splunk restart

Don’t skip the license prompt

The --accept-license flag is required for unattended starts. Without it, the server boots into an interactive setup loop that will eat your afternoon.

Sign in #

Open http://localhost:8000 and sign in with the credentials you set during install.

Splunk login page
The Splunk login screen — your portal for the rest of this workshop.

Project layout #

For the rest of this workshop, we’ll work out of a folder structured like this:

splunk-workshop/
├── data/
│   ├── access.log         # web-server access log
│   ├── errors.log         # application errors
│   └── tutorial.csv       # sample dataset
├── searches/
│   └── starter.spl
└── README.md

Your config file lives at $SPLUNK_HOME/etc/system/local/server.conf — we’ll edit it later in step 4.

Last Modified ·