Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Install on Windows via the commandline

This documentation applies to the following versions of Splunk: 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

Install on Windows via the commandline

This topic describes the procedures for installing Splunk on Windows using the commandline.

Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

Note: The Windows App was enabled by default in its app.conf file in versions 4.0-4.0.2. Starting in version 4.0.3, it is disabled in this file by default. Read on for important details:

  • If you're upgrading from 4.0-4.0.2 to 4.0.3 or later, the Windows App will be disabled, even if it was enabled in the version you're upgrading from.
  • If you're doing a fresh installation of 4.0.3 or later, the Windows App is enabled by default, unless you explicitly enable a different app such as SplunkLightFowarder. via the MSI. However, you can enable the forwarder apps and enable Windows Event Log explicitly. If you want to install it in a disabled state, you must specify this using the SPLUNK_APP msiexec command as described later in this topic.

Choosing the user Splunk should run as

When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as.

If you install as the Local System user, Splunk will have access to all or nearly all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design. If you intend to read Event Logs or performance counters from other machines via WMI, or read network shares for log files, you will need a domain account. That account must be a local Administrator or equivalent, and should have rights to the external data you want to Splunk. Please ask your Windows domain administrator for an account if you are unsure of what credentials to give Splunk.

Minimum permissions required for the two Splunk services:

Required user rights for the splunkd service:

  • Full control over Splunk's installation directory
  • Read access to any flat-files
  • Permission to log on as a service
  • Permission to log on as a batch job
  • Replace a process-level token
  • Permission to act as part of the operating system
  • Permission to bypass traverse checking

Required user rights for the splunkweb service:

  • Full control over Splunk's installation directory
  • Permission to log on as a service

Important: If you must change the user Splunk runs as after you have installed, you must ensure that the user you create has the necessary permissions, and also ensure that that user has Full Control permissions to the $SPLUNK_HOME/var directory.

If you specified the wrong user during your installation, Splunk will not start. If this occurs, Splunk has installed itself as the local system user by default. Use the instructions in these instructions to switch to the correct user before starting Splunk.

How to use the MSI on the commandline

You can install Splunk for Windows using the MSI on the commandline by typing the following:

msiexec.exe /i Splunk.msi

This section lists the available flags for doing this, and provides a few examples of doing this in various configurations.

You can specify

  • which Windows event logs to index or not
  • which Windows registry hive to monitor
  • which WMI information to pull
  • the user Splunk runs as (be sure the user you specify has the appropriate permissions to access the content you want Splunk to index)
  • an included application configuration for Splunk to enable (such as the Splunk light forwarder)
  • whether or not Splunk should start up automatically when the installation is completed

Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.

Supported flags

The following is a list of the flags you can use when installing Splunk for Windows via the commandline.

Use this flag to specify directory to install. Default is c:\program files\splunk.

  • INSTALLDIR=<directory_path>

Use these flags to specify alternate ports for splunkd and splunkweb to use

  • SPLUNKD_PORT=<port number>
  • WEB_PORT=<port number>

Use these flags to specify whether or not Splunk should index a particular Windows event log.

  • WINEVENTLOGAPPCHECK=1/0, off by default
  • WINEVENTLOGSECCHECK=1/0, off by default
  • WINEVENTLOGSYSCHECK=1/0, off by default
  • WINEVENTLOGFWDCHECK=1/0, off by default
  • WINEVENTLOGSETCHECK=1/0, off by default

Use these flags to specify whether or not Splunk should index the Windows registry USER hive. By default these are set to 0 (off).

  • REGISTRYCHECK_U=1/0
  • REGISTRYCHECK_BASELINE_U=1/0

Use these flags to specify whether or not Splunk should index the Windows registry LocalMachine hive. By default, these are set to 0 (off).

  • REGISTRYCHECK_LM=1/0
  • REGISTRYCHECK_BASELINE_LM=1/0

Use these flags to specify which WMI performance information to index. These are set to 0 (off) by default.

  • WMICHECK_CPUTIME=1/0
  • WMICHECK_LOCALDISK=1/0
  • WMICHECK_FREEDISK=1/0
  • WMICHECK_MEMORY=1/0

Use this flag to specify a user Splunk should run as. Supported values are: 1 for the LocalSystem user and 2 for a different user. The default value is 1.

  • RBG_LOGON_INFO_USER_CONTEXT=1/2

Use these flags to provide domain/username and password information for the user specified in RBG_LOGON_INFO_USER_CONTEXT. You must specify the domain with the username in the format "domain\username".

  • IS_NET_API_LOGON_USERNAME="<domain\username>"
  • IS_NET_API_LOGON_PASSWORD="<pass>"

Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder, SplunkForwarder.

Refer to the documentation about the Splunk forwarder and light forwarder configurations for more information about the forwarders. If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".

  • SPLUNK_APP=<SplunkApp>

To install Splunk with no applications at all, specify this flag but leave the value empty ( SPLUNK_APP="" ).

Use this flag *only* when you are also using SPLUNK_APP to enable either the Splunk forwarder or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.

  • FORWARD_SERVER="<server:port>"

Use this flag to specify whether or not Splunk should start up automatically when the installation completes. The default value is 1 (on).

  • LAUNCHSPLUNK=0/1

Important: If you are enabling an App (SPLUNK_APP), Splunk will start automatically; this cannot be overridden.

Use these flags to specify which Splunk services start up automatically at boot time.

  • AUTOSTARTSERVICE=0/1 (starts both services)
  • AUTOSTARTSERVICE_SPLUNKD=0/1
  • AUTOSTARTSERVICE_SPLUNKWEB=0/1

Silent installation

To run the installation silently, add /quiet to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.

Examples

The following are some examples of using different flags.

Install Splunk to run as the Local System user

msiexec.exe /i Splunk.msi RBG_LOGON_INFO_USER_CONTEXT=1

Specify the username and the domain the user belongs to

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="AD\splunk" IS_NET_API_LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOGSYSCHECK=0 /quiet

Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

  • Click the Splunk icon in Start>Programs>Splunk

or

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you're ready to use Splunk, refer to the User Manual and begin using Splunk!

Avoid IE Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:

  • quickdraw.splunk.com
  • the URL of your Splunk instance

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

You can also use msiexec from the commandline.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Installation/InstallonWindowsviathecommandline"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.