Simple Best-Practices Splunk Installation Using Ansible

GitHub - johnmcgovern/ansible-splunk-base: This Ansible role that installs or upgrades a bare Splunk instance of a specified version with either systemd (Workload Management supported) or initd for process management.
This Ansible role that installs or upgrades a bare Splunk instance of a specified version with either systemd (Workload Management supported) or initd for process management. - GitHub - johnmcgove...

The project linked above is an Ansible playbook set that installs or upgrades Splunk to a specific version. It can also perform basic OS config (ulimits, THP disabled, hostname, etc.), ./splunk/etc/ backups, and SSL cert installation.


Install Ansible

 - sudo apt-get install ansible (Ubuntu) 
 - brew install ansible (macOS)

git clone this project

 - git clone

Navigate to project base directory

 - cd ./ansible-splunk-base		

Copy hosts.sample to hosts

 - cp hosts.sample hosts

Edit hosts file to include desired hosts

 - vi hosts

Copy group_vars/all.sample to group_vars/all

 - cp group_vars/all.sample group_vars/all

Edit group_vars/all variables as appropriate for your enviornment

 - vi group_vars/all


Navigate to playbook base directory

 - cd ./ansible-splunk-base

Run the Splunk install playbook

 - ansible-playbook -i hosts install.yml

-or- run the Splunk upgrade playbook

 - ansible-playbook -i hosts upgrade.yml

-or- run the Splunk OS initial configuration playbook (built to provide a simple configuration for lab hosts)

 - ansible-playbook -i hosts os-config.yml

-or- run a base OS config AND install Splunk.

 - ansible-playbook -i hosts combo.yml	

-or- configure an TLS/SSL key pair for the web UI (tcp/8000).

 - ansible-playbook -i hosts tls-config.yml						

-or- run the Splunk UF install playbook

 - ansible-playbook -i hosts uf-install.yml

-or- run the Splunk UF config playbook

 - ansible-playbook -i hosts uf-config.yml

-or- run the Splunk UF install AND config playbook

 - ansible-playbook -i hosts uf-combo.yml	

-or- run the Splunk UF upgrade playbook

- ansible-playbook -i hosts uf-upgrade.yml					

-or- run the Splunk configuration only (./etc/) backup playbook

- ansible-playbook -i hosts backup-etc.yml

-or- run the Splunk full backup (/opt/splunk/) playbook

- ansible-playbook -i hosts backup-full.yml		

Run an Ansible playbook limited to certain hosts within the hosts list

- ansible-playbook -i hosts --limit=host1 install.yml

Run multiple roles in one command

- ansible-playbook -i hosts os-config install.yml tls-config.yml


This role has been tested on:

  • Ubuntu 22.04, 20.04, & 18.04 Server (LTS)
  • RHEL 8
  • CentOS 7 1810
  • Amazon Linux 2 2020.04


  • The goal of this role is to quickly execute a best-practices base Splunk install/upgrade (including support for Workload Management, which is a departure from the previous install method).
  • There are more complex/full-featured projects out there for various deployment topologies. The goal here is simplicity, speed, and utility.
  • 8.1.1 introduced Policy Kit management of systemd processes which allows for splunk to be restarted (for example) as the splunk user or super user using the commnands "splunk restart", "systemctl restart Splunkd", and "sudo systemctl restart Splunkd" for maximum flexibility.
  • Both "systemd" and "initd" methods of Linux process management are supported. systemd is ONLY available in Splunk Enterprise version 7.2.2 and later.
  • Splunk versions 7.2.2 - 7.2.x implement "enable boot-start" differently than 7.3.0 and later. This is now accounted for.
  • Assuming a semi-default install (such as you would find if you installed with this playbook), upgrade.yml will convert from initd process management to systemd process management if you flag "systemd" on install_method.
  • A number of config items are set which disable pop-ups and modal dialogues which would normally be shown to the Splunk admin and/or users such as new version available notifications, UI tours, and python 2.7 deprication notifications. The goal here is to generally avoid UI annoyances that would crop up in automatic distributed Splunk deployments.
  • This Ansible playbook does not currently handle OS-level firewall allowances for splunkd TCP ports.
  • We bias towards being non-destructive. For example, if we see an existing/previous Splunk install we will fail out rather than damage the current install.


  • Support for additional server settings.
  • Simplified version/file/hash dictionary.


This project is provided WITHOUT any form of warranty and should be tested thoroughly before using it in your environment. Development is best-effort only. This project is provided as-is with no guarantee as to fitness for a specific purpose. Please use it at your own risk.