This topic describes the procedures for installing Splunk on Windows using the commandline.
Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.
Note: The Windows App was enabled by default in its app.conf file in versions 4.0-4.0.2. Starting in version 4.0.3, it is disabled in this file by default. Read on for important details:
When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as.
If you install as the Local System user, Splunk will have access to all or nearly all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design. If you intend to read Event Logs or performance counters from other machines via WMI, or read network shares for log files, you will need a domain account. That account must be a local Administrator or equivalent, and should have rights to the external data you want to Splunk. Please ask your Windows domain administrator for an account if you are unsure of what credentials to give Splunk.
Minimum permissions required for the two Splunk services:
Required user rights for the splunkd service:
Required user rights for the splunkweb service:
Important: If you must change the user Splunk runs as after you have installed, you must ensure that the user you create has the necessary permissions, and also ensure that that user has Full Control permissions to the $SPLUNK_HOME/var directory.
If you specified the wrong user during your installation, Splunk will not start. If this occurs, Splunk has installed itself as the local system user by default. Use the instructions in these instructions to switch to the correct user before starting Splunk.
You can install Splunk for Windows using the MSI on the commandline by typing the following:
msiexec.exe /i Splunk.msi
This section lists the available flags for doing this, and provides a few examples of doing this in various configurations.
You can specify
Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.
The following is a list of the flags you can use when installing Splunk for Windows via the commandline.
Use this flag to specify directory to install. Default is c:\program files\splunk.
Use these flags to specify alternate ports for splunkd and splunkweb to use
Use these flags to specify whether or not Splunk should index a particular Windows event log.
Use these flags to specify whether or not Splunk should index the Windows registry USER hive. By default these are set to 0 (off).
Use these flags to specify whether or not Splunk should index the Windows registry LocalMachine hive. By default, these are set to 0 (off).
Use these flags to specify which WMI performance information to index. These are set to 0 (off) by default.
Use this flag to specify a user Splunk should run as. Supported values are: 1 for the LocalSystem user and 2 for a different user. The default value is 1.
Use these flags to provide domain/username and password information for the user specified in RBG_LOGON_INFO_USER_CONTEXT. You must specify the domain with the username in the format "domain\username".
Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder, SplunkForwarder.
Refer to the documentation about the Splunk forwarder and light forwarder configurations for more information about the forwarders. If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".
To install Splunk with no applications at all, specify this flag but leave the value empty ( SPLUNK_APP="" ).
Use this flag *only* when you are also using SPLUNK_APP to enable either the Splunk forwarder or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.
Use this flag to specify whether or not Splunk should start up automatically when the installation completes. The default value is 1 (on).
Important: If you are enabling an App (SPLUNK_APP), Splunk will start automatically; this cannot be overridden.
Use these flags to specify which Splunk services start up automatically at boot time.
To run the installation silently, add /quiet to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.
The following are some examples of using different flags.
msiexec.exe /i Splunk.msi RBG_LOGON_INFO_USER_CONTEXT=1
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="AD\splunk" IS_NET_API_LOGON_PASSWORD="splunk123"
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOGSYSCHECK=0 /quiet
Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.
To access Splunk Web after you start Splunk on your machine, you can either:
or
http://localhost:8000.
Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.
Now that you're ready to use Splunk, refer to the User Manual and begin using Splunk!
To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:
If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.
To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.
You can also use msiexec from the commandline.