So you are ready to Splunk and you want to get started? Well..
Taking the First Step
Your first step, before you download any installation packages, is to review the Splunk Software License Agreement, which you can find at splunk.com/view/SP-CASSSFA (and if you don’t check it there the Splunk install drops a copy for you in the installation folder – in both .RTF and .TXT formats). Although you have the ability to download a free full-featured copy of Splunk Enterprise, the agreement governs the installation and use and it is incumbent upon you to at least be aware of the rules.
Next, as in anytime you are intending to perform a software installation, you must make time to review your hardware to make sure that you can run Splunk in such a way as to meet your expected objectives. Although Splunk is a highly optimized application, a good recommendation is if you are planning on performing an evaluation of Splunk for eventual production deployment, you should use hardware typical of the environment you intend to employ to. In fact, the hardware you use for your evaluation should meet or exceed the recommended hardware capacity specifications for the tool and (your) intentions (you can check the Splunk.com website or talk to a Splunk professional to be sure what these are).
Disk Space Needs
Beyond the physical footprint of the Splunk software (which is minimal), you will need some Splunk “operational space”. When you read data into Splunk, it creates a compressed/indexed version of that “raw data” and this file is typically about 10% of the size of the original data. In addition, Splunk will then create index files that “point” to the compressed file. These associated “index files” can range in size -from approximately 10% to 110% of the rawdata file – based on the number of unique terms in the data. Again, rather than get into sizing specifics here, just note that if your goal is “education and exploration”, just go ahead and install Splunk on your local machine or laptop – it’ll be just fine.
Go Physical or Logic?
Most organizations today run a combination of both physical and virtual machines. Without getting into specifics here, it is safe to say that Splunk runs well on both; however (as does most software) it is important that you understand the needs of the software and be sure that your machine(s) are configured appropriately. The Splunk documentation reports:
“If you run Splunk in a virtual machine (VM) on any platform, performance does degrade. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance”.
Let’s get the software!
Splunk Enterprise (version 6.0.2 as of this writing) can run on both MS Windows and Linux, but for this discussion I’m going to focus on only the Windows version. Splunk is available in both 32 and 64 bit architectures, and it is always advisable to check the product details to see which version are correct for your needs.
Assuming that you are installing for the first time (not upgrading) you can download the installation file (msi for Windows) from the company website (www.splunk.com). I recommend that you read through the release notes for the version that you intend to install before downloading. Release notes list the known issues along with potential workarounds and being familiar with this information can save plenty of your time later.
[Note: If you are upgrading Splunk Enterprise, you need to visit the Splunk website for specific instructions before proceeding.]
Get a Splunk.com Account
To actually download (any) version of Splunk, you need to have a Splunk account (and user name). Earlier, I mentioned the idea of setting up an account that you can use for educational purposes and support. If you have visited the website and established your account, you are ready; if not, you need to set one up now.
- Visit Splunk.com.
- Click on “Sign Up”
Once you have an account, you can click on the big, green button labeled “Free Download”. From there, you will be directed to the “Download Splunk Enterprise” page, where you can click on the link of the Splunk version you want to install.
From there, you will be redirected to the “Thank You for downloading…” page and be prompted to save the download to your location:
And you are on your way!
Check back and I’ll walk you through a typical MS Windows install (along with some helpful hints that I learned during my journey to Splunk Nirvana)!