Creating a Splunk bashrc Profile for Easy CLI

Ryan Glynn/ August 24, 2017/ Security and Technology/ 0 comments

One of the things that makes doing Splunk operations and infrastructure work so much easier and faster is having a bashrc profile (assuming you’re running Splunk for Unix) that aliases a lot of the common commands. This is a quick step by step on how to create a bashrc profile for Splunk.

  1. Create a bashrc profile for the default ssh user

If you run Splunk as root or a user that you ssh in as then skip to step 3.

If you login as root or any other user that needs to su to the splunk user, then follow the steps below.

  • First we login via the CLI to the server that is running Splunk
  • Next, we think of a term that we want to type to quickly su to Splunk — in our example we will use chas
  • Then we type “vi .bashrc” into the CLI to edit the bash file for our ssh user
  • We can input something like the following – remember if you don’t want to type chas but something else then change where it says chas:
# .bashrc

# Source global definitions

if [ -f /etc/bashrc ]; then

. /etc/bashrc

fi

alias chas="su - splunk"

Then save via :wq

  1. Source the bash file and “chas”

Type the following into the CLI “source .bashrc” – this reloads the bash file. Then type your aliased phrase, so in our example we would type “chas”.

  1. Edit the bashrc file of the user Splunk runs as

As with step 1, we are going to edit the bashrc file, but this time with slightly different configuration.

Start by entering “vi .bashrc”

Input the following:

# .bashrc

# Source global definitions

if [ -f /etc/bashrc ]; then

. /etc/bashrc

fi

# User specific aliases and functions

export SPLUNK_HOME=/opt/splunk

export PATH=$PATH:$SPLUNK_HOME/bin

alias esl="cd /opt/splunk/etc/system/local"

alias apps="cd /opt/splunk/etc/apps"

alias logs="cd /opt/splunk/var/log/splunk"

export PS1="[email protected]>"

So here is where things can get rather nice and customized. The above is just an example but you can modify this to do a lot more. The aliased commands allow you to do things like type “esl” to automatically go to /opt/splunk/etc/system/local — this is very convenient when troubleshooting issues as switching between directories can be a giant pain at times. The export PS1 allows you to name each individual server’s Splunk user so that it is always clear what kind of server you are on. In the example above, I set it equal to “[email protected]>” so that I don’t accidentally think I am on any other kind of server and edit the wrong config file locaitons.

The exporting of SPLUNK_HOME and BIN allows me to just type “splunk restart” or “splunk cmd btool” instead of constantly having to load from the path (which is also a constant pain) when I want to restart the splunk service or reload configurations from a deployment server.

 

As always, let me know if anything is confusing or doesn’t work or if you have any other cool bashrc tricks to aid in your Splunk work!

If you want to stay up to date with my blog, be sure to subscribe:

 

Sign up for Programming and Cyber Security Tips and Scripts by Email:

Loading

 

 

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*