This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Splunk installs in minutes using standard rpm, pkg, dmg, deb and other installers. It doesn't require any external packages and installs cleanly into its own directory. Setting up live data inputs is easy via either the Splunk Web or commandline interfaces.
Splunk doesn't have to be deployed on production systems if there is existing network logging such as via syslog. If you do choose to install Splunk on production servers to locally read logfiles, the CPU and network footprint is the same as if you were tailing the same files and piping the output to netcat. The Splunk Server's memory footprint for just tailing files and forwarding them over the network is less than 30 MB of resident memory.
We expect Splunk to perform better with more cores because the cache is shared; hence, it is closer if two threads use the same memory.
Splunk should work on any Linux distro with a version 2.4+ kernel (x86) as well as FreeBSD?/x86, Solaris (Sparc and x86), Mac OS X (PPC and Intel), and Windows. But Splunk can process data from any networked device with any operating system, not just from servers running Splunk. See the main documentation for a complete list of system requirements.
No. Splunk can process and index any format of log data without special adapters to interpret each format. It can access data remotely via syslog, SNMP, or by watching files mirrored via rsync or rotated to a central log host with scp or ftp. You can choose to deploy Splunk to access logfiles in real time on production hosts if you have datasources that don't support remote logging, but this is the same Splunk software package and not a special agent.