Blog

Installing Splunk Enterprise on Ubuntu or Debian

March 22, 2026 · splunk, linux, soc

Getting Splunk up and running on a fresh Ubuntu or Debian box takes about five minutes. There is one catch with Splunk 10.x that will silently burn you if you are running as root — more on that below.

Find the Latest Version

Splunk does not publish a generic “latest” redirect URL — the version is always baked into the link. You can try to pull it dynamically by scraping the download page:

SPLUNK_URL=$(curl -s 'https://www.splunk.com/en_us/download/splunk-enterprise.html' \
  | grep -oP 'https://download\.splunk\.com/products/splunk/releases/[^"]+linux-amd64\.deb' \
  | head -1)

echo "$SPLUNK_URL"

Fair warning: the download page is JavaScript-rendered, so this grep often comes back empty. If $SPLUNK_URL is blank, just head to the Splunk Enterprise download page directly, grab the .deb link, and hard-code it. At the time of writing the current release is 10.2.1.

Download and Install

If the dynamic URL resolved above, use it directly. Otherwise substitute the pinned URL:

# Use dynamic URL if it resolved, otherwise fall back to pinned version
SPLUNK_URL=${SPLUNK_URL:-"https://download.splunk.com/products/splunk/releases/10.2.1/linux/splunk-10.2.1-c892b66d163d-linux-amd64.deb"}

wget -O /tmp/splunk.deb "$SPLUNK_URL"
dpkg -i /tmp/splunk.deb
rm /tmp/splunk.deb

Start Splunk

If you are running as root — which is common on a homelab or lab VM — you must pass --run-as-root. Without it, Splunk 10.x silently exits and gives you no useful error message.

/opt/splunk/bin/splunk start \
  --accept-license --answer-yes --no-prompt \
  --run-as-root --seed-passwd changeme

Replace changeme with whatever password you want for the admin account.

Enable Boot-Start

So Splunk comes back up automatically after a reboot:

/opt/splunk/bin/splunk enable boot-start -user root \
  --accept-license --answer-yes --no-prompt --run-as-root

Verify

/opt/splunk/bin/splunk status
ss -tlnp | grep 8000

The web UI will be at http://<your-server-ip>:8000. Log in with admin and the password you set above.

Staying Current

Since there is no rolling “latest” URL, the easiest way to stay up to date is to check the Splunk release notes periodically and update the version string in your install script when a new release drops.