Change default values

Change default values

Before you begin configuring Splunk for your environment, check through the following default settings to see if there's anything you'd like to change.

Changing the admin default password

Splunk with an Enterprise license has a default administration account and password, admin/changeme. Splunk recommends strongly that you change the default. You can do this via Splunk's CLI or Splunk Web.

via Splunk Web

• Log into Splunk Web as the admin user.
• Click Manager in the top-right of the interface.
• Click Users.
• Click the admin user.
• Update the password and click Save.

via Splunk CLI

The Splunk CLI command is:

# splunk edit user

Note: You must authenticate with the existing password before it can be changed. Log into Splunk via the CLI or use the -auth parameter.

For example:

# splunk edit user admin -password foo -role admin -auth admin:changeme

This command changes the admin password from changeme to foo.

Change network ports

Splunk uses two ports. They default to:

• 8000 - HTTP or HTTPS socket for Splunk Web.
• 8089 - Splunkd management port. Used to communicate with the splunkd daemon. Splunk Web talks to splunkd on this port, as does the command line interface and any distributed connections from other servers.

Note: You may have changed these ports at install time.

via Splunk Web

• Log into Splunk Web as the admin user.
• Click Manager in the top-right of the interface.
• Click the System Configuration tab.
• Click System Settings.
• Change the value for Web port and click Save.

via Splunk CLI

To change the port settings via the Splunk CLI, use the CLI command set.

# splunk set web-port 9000

This command sets the Splunk Web port to 9000.

# splunk set splunkd-port 9089

This command sets the splunkd port to 9089.

Change the default Splunk server name

The Splunk server name setting controls both the name displayed within Splunk Web and the name sent to other Splunk Servers in a distributed setting.

The default name is taken from either the DNS or IP address of the Splunk Server host.

via Splunk Web

• Log into Splunk Web as the admin user.
• Click Manager in the top-right of the interface.
• Click the System Configuration tab.
• Click System Settings.
• Change the value for Splunk server name and click Save.

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set servername foo

This command sets the servername to foo.

Changing the datastore location

The datastore is the top-level directory where the Splunk Server stores all indexed data, user accounts, and working files.

Note: If you change this directory, the server does not migrate old datastore files. Instead, it starts over again at the new location.

To migrate your data to another directory follow the instructions in Move an index.

via Splunk Web

• Log into Splunk Web as the admin user.
• Click Manager in the top-right of the interface.
• Click the System Configuration tab.
• Click System Settings.
• Change the path in Path to indexes and click Save.

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set datastore-dir /var/splunk/

This command sets the datastore directory to /var/splunk/.

Set minimum free disk space

The minimum free disk space setting controls how low disk space in the datastore location can fall before Splunk stops indexing.

Splunk resumes indexing when more space becomes available.

via Splunk Web

• Log into Splunk Web as the admin user.
• Click Manager in the top-right of the interface.
• Click the System Configuration tab.
• Click System Settings.
• Change the value for Pause indexing if free disk space falls below: and click Save.

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set minfreemb 2000

This command sets the minimum free space to 2000 MB.