Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Before you install

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Before you install

The 3.0.x and 3.1 releases do not support automated migration from prior releases. Do not attempt this or you may overwrite your configuration files. Install and try the release in a separate file path with different ports. If you wish to migrate now, read about manual migration instructions.


Splunk 3.1 now allows searches to contain either a double colon (::) or an equal sign (=) when using fields in a search. This change is the first step in eliminating differences in search syntax between search and extracted fields.


One result of this change is that a search for a literal containing an equal sign will require quotations around the expression with the equal sign. This may cause Saved searches to stop working. Before you install Splunk 3.1, you should examine your saved searches and modify as needed. See the 3.1 change logs for a complete list of new features and known problems in this release.


System Requirements

Please check the release notes and download page for details on known issues.


Host Operating System

  • AIX 5.2 and 5.3
  • AIX 5.4 has not yet been tested by Splunk. If you wish to give it a try, please try it on a test server and send us feedback.
  • Linux 2.6+ kernel Linux distributions (32-bit and 64-bit) and major 2.4+ kernel Linux distributions with NPTL (32-bit only)
  • Solaris 8, 9 & 10 / Sparc
  • Solaris 9 & 10 / x86
  • Mac OS X 10.4 / PPC & x86
  • ``FreeBSD`` 6.1 (6.2 for 64-bit versions) or later

Client Operating System / Browser

You can verify your installed version of Flash here


Server Hardware

  • 32 and 64-bit architectures are supported for some platforms. See the download page page for details.

File System

  • Linux - ext2/3, reiser3, XFS
  • Solaris - UFS, ZFS, VXFS
  • FreeBSD - FFS, UFS
  • Mac - HFS
  • AIX - JFS, JFS2, NFS 3/4
  • //Note: Most other file systems are supported.
  • Note: Running Splunk on a filesystem not listed above may result in a startup function named "locktest" being executed by Splunk. "Locktest" is a program that independently tests the start up process.
  • Running "locktest":
    • From the SPLUNK_HOME directory, source in the Splunk environment (bash . bin/setSplunkEnv). This assumes that setSplunkEnv has been properly configured.
    • Run "locktest". If its successful, Splunk supports the file system. If it is unsuccessful, contact support (support@splunk.com).

Minimum

  • 1x1.4 GHz CPU, 1 GB RAM on any modern OS
  • 100 MB free disk space

Recommended

  • 2x3.4 GHz CPU, 4 GB RAM
  • Running Splunk in virtual machine (VM) mode will degrade performance.

Storage

  • For standard syslog data up to 50% of raw data size. (Tunable to 12% with lower indexing density.)
  • For other data sources your compression rates may be lower and your storage requirements may be higher.
  • Faster drives give better search performance.
  • For more information on ways to reduce your index density click here

FreeBSD

To ensure that Splunk functions properly on FreeBSD ensure you have the following /boot/loader.conf: 


kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB

You also need the following in /etc/sysctl.conf: 


vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0

Installing as root

  • If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.
  • If you run the installation with root privileges, it will create a user splunk and a group splunk (if they don't exist). Splunk must either run as root or as a member of the splunk group.
  • If you run the installation without root privileges, it won't attempt to create users or groups. You can run Splunk under the username you installed it as.
  • If you want Splunk to run as a non-root user, and are using one of the packages (not a tarball), you can create the user and group first, run the installation as root, and then chown the resulting installation to the desired user.
  • The user Splunk runs as must have access rights to read all the data inputs you define.
  • Network data inputs cannot be over privileged ports, which are usually those lower than 1024 (in particular, Splunk will not be able to accept syslog over the default port of 514).
  • Some files and directories may be in privileged locations, which will cause them to not be indexed.
Retrieved from "http://www.splunk.com/base/Documentation/3.1.1/Installation/BeforeYouInstall"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.