This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
The default username is admin and password is changeme.
Splunk indexes data by breaking it into segments. It searches for exact matches. If you type in "foo," Splunk expects to find a segment that is an exact match to "foo." It won't match "sfoo" or "food." For these types of searches, you can use the * as a wildcard (e.g."*foo" or "foo*").
If that doesn't work, start with a more broad search, such as "meta::all." To see how Splunk has broken your events into segments, mouse over a result - each separate string that highlights is a separate segment.
First, make sure you have the right server URL. Try to telnet or ssh to the host. If you can login, check to see if both Splunk processes are running. At the shell prompt, type $SPLUNK_HOME/bin/splunk status. Or just use the ps command. You should see two processes - splunkd and splunkWeb (twisted.py).
Restart the Splunk server by typing "splunk restart." It should report [ OK ] for both splunkd and splunkWeb.
Make sure you have the correct path when you are starting Splunk. The best way to verify this is to navigate into $SPLUNK_HOME/bin and type ./splunk restart. ($SPLUNK_HOME is the path you installed in). If Splunk still won't start, contact support.
The webserver needs to connect to the splunk daemon via the management port; by default this port is 8089. The most common reason for this error is the webserver is unable to connect to this port. Some good things to check
See our Admin Manual section on Index Management.
See the Admin Manual section on Testing Configuration Changes.
Version 3 introduces a new license key format. If you are an existing 2.x customer your license will not work with 3.0. Plus Support customers are entitled to upgrade their 2.x license to 3.0. Please contact Splunk Support for your 3.0 license.
If you are using the free license you can perform the following steps:
./splunk stop)
$SPLUNK_HOME/etc/splunk-free.license to $SPLUNK_HOME/etc/splunk.license
./splunk start)
There is a bug in Internet Explorer with regard to file downloads over SSL. The problem and resolution are documented here
Add this to your [settings] stanza in web.conf (create a new file in $SPLUNK_HOME/etc/system/local if necessary):
updateCheckerBaseURL = 0