Install

• Visit the official Splunk website, log in or create account and get the Splunk Enterprise installer (.deb or .rpm)
• Install the package e.g. on Debian-based distros

sudo dpkg —install splunk-*-linux-amd64.deb).

• The above command will …
  • … will install Splunk in the directory /opt/splunk
  • … will create a new user by name ‘splunk’ and install all the package contents under the ownership of ‘splunk’ user
• Follow the steps below as a regular non-root user

cd /opt/splunk/bin
sudo ./splunk enable boot-start -user splunk -systemd-managed 1 --accept-license

Verify the installation

• After the installation verify that no files or directories in /opt/splunk are owned by ‘root’ nor belongs to the ‘root’. Use the following command to achieve that. If this command returns nothing, then it is so.

sudo find /opt/splunk -user root -o -group root -ls

• Alternatively ensure that all the files and directories in /opt/splunk are owned by non-root user ‘splunk’ and belongs to the group ‘splunk’

sudo find /opt/splunk -not -user splunk -o -not -group splunk -ls  

Start the service and check the status

sudo systemctl start Splunkd # From the next reboot onwards Splunkd will start automatically
sudo systemctl status Splunkd

Verify that the Splunk processes are running as user ‘splunk’ and not as ‘root’

ps -eaf | grep -i splunk

Change the license group to ‘Free’