Administration Basics

Administration Basics

The $SPLUNK_HOME variable refers to the top level directory of your installation. By default, this is opt/splunk/.

Add Splunk to your shell path

To save a lot of typing, set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk

# export PATH=$SPLUNK_HOME/bin:$PATH

Splunk's CLI

Splunk's command line interface is located in $SPLUNK_HOME/bin/. If you have exported the path and environment variables (as explained above), you can use the splunk command as follows:

# splunk [action] [object] [-parameter value] ....

If you haven't set an environment variable, navigate to $SPLUNK_HOME/bin/ and run commands as follows:

#./splunk [action] [object] [-parameter value] ....

For general help, type:

# splunk help

For a list of commands and options, type:

# splunk help commands

When using Splunk with an Enterprise license, administration commands must be authenticated with a username and password.

To authenticate for an entire session, type:

# splunk login

You will be prompted for a Splunk username and password. This is the same username and password you use to log into the SplunkWeb interface. By default, the login is set to admin and the password is changeme.

You can logout at any time by typing:

# splunk logout

To authenticate a single command, use the -auth parameter:

# splunk search foo -auth username:password

Please note: the -auth string must be the last term in the CLI command.

Start/stop Splunk, check status

Ensure that you have added Splunk to your server host's path (as explained above, in "Adding Splunk to your shell path"). Otherwise you must use the ./splunk command.

Start the Server

From a shell prompt on the sever host, run this command:

# splunk start

You can also restart the server by running:

# splunk restart

Stop the Server

To shut down the Splunk Server, run this command:

# splunk stop

Check if Splunk is running

To check if Splunk is running, type this command at the shell prompt on the sever host:

# splunk status

You should see this output:

splunkd is running (PID: 3162).
splunk helpers are running (PIDs: 3164).
splunkweb is running (PID: 3216).

Or you can use ps to check for running Splunk processes:

# ps aux | grep splunk | grep -v grep

Solaris users, type -ef instead of aux:

# ps -ef | grep splunk | grep -v grep

Help

Help is available in several forms.

Help Options

• From the CLI:
  • Type # splunk help
• From SplunkWeb:
  • Follow the help link in the upper right hand corner of the SplunkWeb interface.
  • Click the tutorial link from the SplunkWeb landing page.
• Contact Splunk Support:
  • Many options are available on the support portal.
  • Email Splunk support.
• SplunkBase:
  • SplunkBase is a place where IT professionals connect with one another, share information and solve problems. SplunkBase has a wiki, forums, event type definitions, and sample files. Come look and participate.