Install Splunk 7 on Ubuntu 16.04.5

Splunk on Ubuntu 16.04

1. change interface name to normal
   vi /etc/default/grub
   add net.ifnames=0 biosdevname=0 to GRUB_CMDLINE_LINUX line

grub-mkconfig -o /boot/grub/grub.cfg

reboot

2. timedatectl set-timezone UTC, NTP enable local server
   Ubuntu NTP: using timesyncd service

if using ntp, then stop and remove it
systemctl stop ntp
update-rc.d ntp disable
sysv-rc-conf to confirm
apt-get -y remove ntp

using timesyncd service
vi /etc/systemd/timesyncd.conf
NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org

systemctl start systemd-timesyncd
systemctl status systemd-timesyncd

3. tune ulimit parameters
   vi /etc/security/limits.conf
   • soft nofile 65535
   • hard nofile 65535
   • soft nproc 65535
   • hard nproc 65535

Disable Transparent Huge Page
vi /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && echo '0' > /sys/kernel/mm/transparent_hugepage/khugepaged/defrag"

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp

reboot to take effect, ulimit -a to check

4. install splunk enterprise
   under root privilege:
   useradd -m splunk
   tar zxf splunk.xxx.xxx.gz -C /opt
   chown -R splunk:splunk /opt/splunk
   su - splunk
   /opt/splunk/bin/splunk start --accept-license
   /opt/splunk/bin/splunk enable boot-start -user splunk ( should use root permission to run )

5. ufw enableufw allow 8000