This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
You can install Splunk on Linux using RPM or DEB packages, or a tarball.
To install the Splunk RPM in the default directory /opt/splunk:
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the --prefix flag:
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
To upgrade an existing Splunk installation using the RPM:
rpm -U splunk_package_name.rpm
To upgrade an existing Splunk installation that was done in a different directory, use the --prefix flag:
rpm -U --prefix=/opt/new_directory splunk_package_name.rpm
If you want to automate your RPM install with kickstart, add the following to your kickstart file:
./splunk start --accept-license ./splunk enable boot-start
Note: The second line is optional for the kickstart file.
To install the Splunk DEB package:
dpkg -i splunk_package_name.deb
Note: You can only install the Splunk DEB package in the default location, /opt/splunk.
To install Splunk on a Linux system, expand the tarball into an appropriate directory. The default install directory is /opt/splunk.
When installing with the tarball:
splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
Splunk package status:
dpkg --status splunk
List all packages:
dpkg --list
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.
To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
After you start Splunk and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port.
hostname is the host machine.
port is the port you specified during the installation (the default port is 8000).
2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.
Now that you've installed Splunk, what comes next?
Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.
If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.
To uninstall from RedHat Linux
rpm -e splunk_product_name
To uninstall from Debian Linux:
dpkg -r splunk
To purge (delete everything, including configuration files):
dpkg -P splunk