This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12
Before installing Splunk on your system:
Some platform-specific installers come in both a package form and a tarball. Follow the instructions for your specific package or tarball.
Note: If you have a system maintenance process that periodically compresses files on your filesystem, you must disable this for your Splunk installation and index directories. There are many static files that are required for normal operation and must not be compressed.
Splunk must run as root or as a member of the splunk group. When installing from any type of package manager that isn't a tarball, you must install as root. When you install Splunk with root privileges, it creates the user splunk and group splunk (if they do not already exist). If you do not install Splunk with root privileges, it won't attempt to create users or groups.
Splunk can run as any user on the local system. However, the user Splunk runs as must have access rights to read all the data inputs you define. Keep in mind that some files and directories may be in privileged locations and therefore will not be indexed if you don't have the correct ownership settings.
To install Splunk, you must have local administrator privileges in order to bind the ports required for splunkd to splunkweb communication. During the install process, you will have the option to select which account splunkd and splunkweb will run as consistently.
Splunk strongly recommends that you run Splunk as the local system account if you do not need to collect data from other machines
If you would like to collect data from additional machines remotely - for example, WMI polling of event logs, or collection IIS logs through a file share - you must install Splunk using a domain service account that you create. This account needs administrator-like permissions on the local box, and sufficient privileges on the target machines to collect your desired data. For more information on WMI polling permission setting, please refer to the WMI documentation.
You can run Splunk as another account besides local system or the local administrator. However, you must grant the following rights to the service account:
You must allow this account additional, specific permissions if you want to collect the registry or event logs.
Splunk Web's service does not require as many permissions as splunkd to function, and can be safely reduced to:
Note: When installing Splunk using domain account user, you must enable NetBIOS to validate the account authentication.
Splunk Web is configured to check for new versions of itself. If you are running Splunk on a LAN that is not connected to the rest of the Web, you will want to disable this feature.
Splunk uses two network ports by default; ports 8000 (Splunk Web) and 8089 (management port) are opened initially. You can also enable SSL for Splunk Web after you install.
For a complete list of files that Splunk installs, refer to the file manifest for your platform, located in $SPLUNK_HOME, at the same level as the /etc directory.
Before you start Splunk for the first time, review the topics under Advanced Installation. The topics include configuring Splunk to start at boot time, bind to an IP, and run as a non-root user.