Install Splunk on Linux with Trial to Free License

Install Splunk on Linux with Trial to Free License


I have heard of Splunk – a log analysis tool but having worked in the IT industry for last 15 years, I never had to work with it. However, one of my new job requirement as a Site Reliability Engineer (SRE) is to work with Splunk. Hence, I took the initiative to set up an on-premise (non-cloud) Splunk Enterprise on my Ubuntu server. The 60-days trial license will be converted to a free license with limited access to Enterprise features after 60 days.

Step 1 – Download Splunk Enterprise for Linux

Click Free Splunk to register a Splunk account. Select Splunk Enterprise Free 60-day Trial and choose Linux. For this tutorial, we will be using Debian/ Ubuntu hence download .deb file. As per Splunk Enterprise on-premises system requirements, the kernel version needs to be above 3.x, and we can type uname -r to check server kernel version.

Step 2 – Install Splunk with Reverse Proxy and Let’s Encrypt SSL

  1. sudo dpkg -i splunk-
  2. sudo /opt/splunk/bin/./splunk start --accept-license
  3. Create web.conf file with below codes: sudo vi /opt/splunk/etc/system/local/web.conf
root_endpoint = /splunk
tools.proxy.on = false
enableSplunkWebSSL = true
privKeyPath = /etc/letsencrypt/live/
serverCert = /etc/letsencrypt/live/
#httpport = 8081 # if not using default port 8000
  1. Restart Splunk Web service: sudo /opt/splunk/bin/./splunk restart splunkweb
    $ sudo /opt/splunk/bin/./splunk start
    Enter your preferred admin and password (you will need them to log in to the web interface later)

NGINX *.conf

  1. Create NGINX site config file with below codes: sudo vi /etc/nginx/sites-available/ and create a symbolic link using ln -s at /etc/nginx/sites-enabled/
# Port 80 http redirect
server {
    listen 80;

    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

# Port 443 https config
server {
  listen 443 ssl http2;

  access_log /var/log/nginx/splunk.example-access.log;
  # Either warn or error log level
  error_log /var/log/nginx/splunk.example-error.log warn;

  add_header X-Frame-Options SAMEORIGIN;
  large_client_header_buffers 6 16k;
  client_max_body_size 4M;

  location / {
             proxy_pass_request_headers on;
             proxy_set_header x-real-IP $remote_addr;
             proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
             proxy_set_header host $host;
             proxy_pass; # full SSL implementation
             #proxy_pass; # non-SSL implementation

    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
  1. Create Let’s Encrypt free SSL certificate: sudo certbot –nginx and this auto-add lines (# managed by Certbot).
  2. Test the new NGINX config: sudo nginx -t
  3. If site config is done correctly, restart NGINX server: sudo systemctl restart nginx
  4. Open browser and enter or http://<server IP>:8000/

Apache httpd *.conf

<VirtualHost *:80>

    # Other directives here
    RewriteEngine on
    RewriteCond %{SERVER_NAME}
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ProxyPreserveHost On
    ProxyPass /
    ProxyPassReverse /

    # Other directives here
    RewriteEngine on

    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    Include /etc/letsencrypt/options-ssl-apache.conf
# Supplemental configuration
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

# For Splunk error_log: [remote] AH01961: SSL Proxy requested for but not enabled [Hint: SSLProxyEngine]
SSLProxyEngine on

Common Errors during Installation

502 Bad Gateway: proxy_pass; (not working) and proxy_pass; (working) or vice versa.

2022/08/09 22:32:17 [error] 24707#24707: *49 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client:, server:, request: "GET / HTTP/2.0", upstream: "", host: "" is my localhost and you can type cat /etc/hosts to find the local domain and public IP.

404 Not Found: When enter because we are missing this line server_name; in Port 80 http redirect section.

/opt/splunk/bin/splunk restart splunkweb > http port [8000] – port is already bound. Splunk needs to use this port: For example, use port 8001 by adding httpport = 8001 into /opt/splunk/etc/system/local/web.conf

/var/log/httpd/error_log > [remote] AH01961: SSL Proxy requested for but not enabled [Hint: SSLProxyEngine]: Add SSLProxyEngine on in httpd.conf


Splunk is fairly easy to install and trust me, to install Tableau Server is harder. I followed an online tutorial on Splunk introduction and found that Splunk is similar to phpMyAdmin because one stores data as logs and the other as SQL databases. Both provide various in-built tools to operate on datasets. While phpMyAdmin lets you do SELECT (find) on a database, Splunk enable use of regex to search pattern matches in logs. It can build charts and graphs for data visualization and piece them together into an informational dashboard.

Leave a Comment


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *