• Before You Start
  • System Requirements
    • Host Operating System
    • Client Operating System / Browser
    • Server Hardware
    • File System
    • What Gets Installed
    • Who'll be able to Splunk your Data
• Step by Step
  • Installation in 3 Easy Steps
    • Step 0: Read this first
    • Step 1: Unpack the software
    • Step 2: Install your license
    • Step 3: Start Splunking!
    • Updating the license
    • Help
  • Updating 2.1.x to 2.2.x
  • 2.0.x to 2.1.x Migration Instructions
    • Why a migration process?
    • How long does it take?
    • Will I lose my data?
    • Avoid data loss
    • Instructions (native package)
    • Instructions (tar file)
    • Parallel 2.0 / 2.1 setup
    • Help and support
• More Help
  • Splunk-2-Splunk Setup
    • Browser-based configuration
    • Command line configuration
  • Uninstall
  • Troubleshooting Installation Errors

Installation in 3 Easy Steps

Step 0: Read this first

Updating a previous version?

• For 2.1.x and later servers see the 2.1.x to 2.1.2 update instructions.
• For 2.0.x servers in production use see the 2.0.x to 2.1.x migration instructions.

Troubleshooting an Installation

We've collected a list of known Installation Errors and their fixes. If you encounter any errors or warnings during the process - or anything that seems wrong - please check there first.

Step 1: Unpack the software

Each platform-specific installer comes in both a package form and a tarball. The Linux build comes in three forms: RPM, deb and tarball. The FreeBSD installer and tarball are both .tgz files. 5.4-intel is the installer, i386 is the tarball.

Follow the instructions for your specific package or tarball.

Tarball

• First, unpack the tarball into an appropriate directory. Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
• Then, follow the instructions in the README.txt file in the top-level directory, e.g. /opt/splunk/README.txt to manually configure your installation path. The README file also contains information about starting Splunk for the first time and optionally configuring your system to start Splunk at boot.

RPM

• Basic install:

# rpm -i splunk-2.1-0.i386.rpm

• Override the default installation directory /opt/splunk:

# rpm -i --force --prefix=/opt/splunk2.1/splunk splunk-2.1-0.i386.rpm

deb

• Basic install:

# dpkg -i splunk-2.1-linux-2.6-intel.deb

The Splunk deb package currently cannot be installed in a directory other than its default, /opt/splunk.

• Uninstall:

# dpkg -r splunk

• Purge (delete everything, even config files):

# dpkg -P splunk

• Splunk package status:

# dpkg --status splunk

• List all packages:

# dpkg --list

FreeBSD

• Basic install:

# pkg_add splunk-2.1-freebsd-5.4-intel.tgz

• Override the default installation directory /opt/splunk:

# pkg_add -v -p /usr/splunk splunk-2.1-freebsd-5.4-intel.tgz

• Uninstall:

# pkg_delete splunk

• Uninstall from a non-default directory:

# pkg_delete -p /usr/splunk splunk

• Splunk package info:

# pkg_info -L splunk

• List all packages:

# pkg_info

MacOS

• Basic install:

Double-click on splunk.pkg

• Override the default installation directory /Applications/splunk:

When the installer gets to the Select Destination dialog, click Choose... to select a directory other than /Applications

• Command-line install:

# installer -pkg splunk.pkg

• Command-line install to a different disk or partition:

# installer -pkg splunk.pkg -target /Volumes/LaCie\ Disk

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk .
To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

Solaris

• Basic install:

# pkgadd splunk.pkg

• Override the default installation directory /opt/splunk:

# pkgadd -d /user/splunk/splunk.pkg

• Uninstall:

# pkgrm splunk

• Splunk package info:

# pkginfo -l splunk

• List all packages:

# pkginfo

Step 2: Install your license

All Splunk Servers have a license in the subdirectory ./etc/splunk.license . The free server has a built-in free license. A license for Splunk Professional enables higher volume indexing and Splunk Professional features.

Note: This is for splunk 2.2.3, for the beta and latest release, see 3.0 instructions.

<license>
    <user>Billy_Name</user>
    <expiration-date>2008-05-11 14:52:31</expiration-date>
    <creation-date>2007-04-11 14:52:31</creation-date>
    <bytelimit>5000 MB</bytelimit>
    <version>Splunk Professional Annual</version>
    <type>trial</type>
    <licenseKey>nDwuRTC4rmUNzUtECtae3s5ukOAxqY7xSmT9DJbrO4eSttXA4bj37YfB8l+2VhZkCeQF3Wrb+7wTnykKP3CqlPkx0bwluj62gZWK3b9t9THeUBz5UE
8e3NiP1eqPu9wtofxubifxL4zkwzaxPuwzg/7YKsbkgWai8QBCJaKvUqIdi7IZ1l3JAK2qhqmsnxaOixEU3kxerB5w90AfpdiaSKD5v2orQZPQBWT+4tVZe8gQupeLi4t88Mi
SyqARgagE2Z6YV/D5/1HMlBFB4rrh16M8OGDeYy73m2uocCXhYq9sFJKN2zygTOyDuE1769NaJ4CWGRWlsk31S6R3HjUOVg==</licenseKey>
    <productName>splunk</productName>
</license>

• Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

# cp -p splunk.license /opt/splunk/etc/

If you are installing a Splunk Professional license (including a free 30 day evaluation license) for the first time, you will need to log in with the default administrator account: username "admin" and password "changeme".

Step 3: Start Splunking!

A. Start the server

# /opt/splunk/bin/splunk start
(or whatever path you installed)

The first time you run a new installation, you will be prompted with a license agreement.

B. Load the Splunk GUI in your browser

http://mysplunkhost:8000
(or whatever host and port you installed)

(Use username "admin" and password "changeme" to login to your new Splunk Professional installation for the first time.)

C. Set up one or more data inputs

The first time you browse a new installation, you will see a Guided Setup tool that helps you set up data inputs, licenses, and Splunk-2-Splunk configuration. Alternately, you can configure data inputs from the command line. Below is a typical example.

# /opt/splunk/bin/splunk add tail /var/log

Your Splunk Server should show indexed data on its home page immediately after you add a data input. As soon as you see a number greater than "0 events" listed on the server's home page, you're ready to start Splunking!

Updating the license

• From a browser
  • Go to the Admin -> License & Usage -> Change license interface tab. Paste your new license into the textarea box there.
  • Go to the Admin -> Server -> Control tab. Restart the Splunk Server.

• From the command line
  • Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

# cp -p splunk.license /opt/splunk/etc/

When the correct license is in place, start or restart the Splunk Server.
# /opt/splunk/bin/splunk restart

Help

Built-in

The Splunk Server comes with three help resources built into its interface and served locally.

• Guided Setup

Splunk's Web interface has a built-in window that will walk you through basic setup of your data inputs, license installation, and Splunk-2-Splunk configuration.

• Browser-based Help

Splunk's Web interface has a blue (i) button labeled Help in its upper right corner. Click this button to pop up a built-in set of help pages.

Additionally, each page within the Admin area of the interface has blue (i) buttons next to the green title atop each group of controls. Click any one of these (i) buttons to go straight to the help for that part of the page.

• Command Line Help

From the command line on your Splunk Server host, type this command.
# /opt/splunk/bin/splunk help

At splunk.com

Go to splunk.com/r/support for a directory of all Splunk's help resources.