Maintenance:
Start Splunk
/opt/splunk/bin/splunk start
Stop Splunk
/opt/splunk/bin/splunk stop
Restart Splunk
/opt/splunk/bin/splunk restart
Check if Splunk is running
/opt/splunk/bin/splunk status
Reload a serverclass to push deployment apps without restarting Splunk"
/opt/splunk/bin/splunk reload deploy-server -class [serverclass-name]
Check license expiration date
/opt/splunk/bin/splunk list licenses | grep "expiration_time" | awk -F':' '{print $2}' | xargs -I{} date -d @{} +"%Y-%m-%d %H:%M:%S"
List installed apps and their status
/opt/splunk/bin/splunk list app
List installed apps and their version (if found)
/opt/splunk/bin/splunk list app | grep version /opt/splunk/etc/apps/*/default/app.conf
Install an app
/splunk install app <path to app.package>
Update an app
/splunk install app <path to app.package> -update 1
Remove an app
/opt/splunk/bin/splunk remove app [appname]
Check Splunk admins
/opt/splunk/bin/splunk list user | grep admin -B2
Basic config:
Enable Splunk service to start when the host boots up
/opt/splunk/bin/splunk enable
Disable Splunk service so it doesn’t start when the host boots up
/opt/splunk/bin/splunk disable
Extra:
Find the startup message
cat /opt/splunk/var/log/splunk/splunkd_stdout.log | grep "Splunk>" | tail -n 1