• Read This First
  • Before you install
    • System Requirements
    • Installing as root
  • What Gets Installed
• Step by Step Installation
  • Step 1: Unpack the software
    • Tarball
    • RPM
    • deb
    • FreeBSD
    • Mac OS
    • Solaris
  • Step 2: Start Splunk
  • Step 3: Install your license
    • Using SplunkWeb
    • From the command line
• Install Splunk Toolbar
  • How to Install the Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk toolbar
  • How to install the Splunk toolbar for Internet Explorer (beta)
    • Install Internet Explorer toolbar from download page
    • Install toolbar in Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Automated installation
  • Configure Splunk to Start at System Startup
  • Run Splunk as a non-root user
    • Start Splunk as a non-root user
  • SELinux
  • License Management
    • Installing or updating a license
  • Uninstall Splunk
    • RedHat Linux
    • Debian Linux
    • Solaris
    • FreeBSD
    • Manual uninstall
• Upgrade Instructions
  • Read this first before upgrading to 3.1.x
    • Form search
    • Search language simplification
    • Archiving
  • Upgrading 2.1.x or 2.2.x to 3.1.x
    • Step 1: Administrative preparation
    • Step 2: Install a 3.x package and update your database
    • Step 3: Update and restore your configuration files
  • Upgrading from Splunk versions 3.0.x through 3.1.x to Splunk versions 3.1.x through 3.1.5
    • For rpm, pkg, and deb upgrades
    • For tar upgrades
  • Upgrading a forwarder from 2.x to 3.x
    • To upgrade a forwarder from 2.x to 3.x
• Help
  • Getting Help
    • Accessing help in SplunkWeb
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
  • Installer options
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Before you install

The 3.0.x and 3.1 releases do not support automated migration from prior releases. Do not attempt this or you may overwrite your configuration files. Install and try the release in a separate file path with different ports. If you wish to migrate now, read about manual migration instructions.

Splunk 3.1 now allows searches to contain either a double colon (::) or an equal sign (=) when using fields in a search. This change is the first step in eliminating differences in search syntax between search and extracted fields.

One result of this change is that a search for a literal containing an equal sign will require quotations around the expression with the equal sign. This may cause Saved searches to stop working. Before you install Splunk 3.1, you should examine your saved searches and modify as needed. See the 3.1 change logs for a complete list of new features and known problems in this release.

System Requirements

Please check the release notes and download page for details on known issues.

Host Operating System

• AIX 5.2 and 5.3
• AIX 5.4 has not yet been tested by Splunk. If you wish to give it a try, please try it on a test server and send us feedback.
• Linux 2.6+ kernel Linux distributions (32-bit and 64-bit) and major 2.4+ kernel Linux distributions with NPTL (32-bit only)
• Solaris 8, 9 & 10 / Sparc
• Solaris 9 & 10 / x86
• Mac OS X 10.4 / PPC & x86
• FreeBSD 6.1 (6.2 for 64-bit versions) or later

Client Operating System / Browser

• AIX, BSD and Linux: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Mac OS X: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Windows: Internet Explorer 6 or 7 or Firefox 1.5 or 2.0; Adobe Flash 9 or higher

You can verify your installed version of Flash here

Server Hardware

• 32 and 64-bit architectures are supported for some platforms. See the download page page for details.

File System

• Linux - ext2/3, reiser3, XFS
• Solaris - UFS, ZFS, VXFS
• FreeBSD - FFS, UFS
• Mac - HFS
• AIX - JFS, JFS2, NFS 3/4
• Note: Most other file systems are supported.
• Note: Running Splunk on a filesystem not listed above may result in a startup function named "locktest" being executed by Splunk. "Locktest" is a program that independently tests the start up process.//
• Running "locktest":
  • From the SPLUNK_HOME directory, source in the Splunk environment (bash . bin/setSplunkEnv). This assumes that setSplunkEnv has been properly configured.
  • Run "locktest". If its successful, Splunk supports the file system. If it is unsuccessful, contact support (support@splunk.com).

Minimum

• 1x1.4 GHz CPU, 1 GB RAM on any modern OS
• 100 MB free disk space

Recommended

• 2x3.4 GHz CPU, 4 GB RAM
• Running Splunk in virtual machine (VM) mode will degrade performance.

Storage

• For standard syslog data up to 50% of raw data size. (Tunable to 12% with lower indexing density.)
• For other data sources your compression rates may be lower and your storage requirements may be higher.
• Faster drives give better search performance.
• For more information on ways to reduce your index density click here

FreeBSD

To ensure that Splunk functions properly on FreeBSD ensure you have the following /boot/loader.conf:

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0 

Installing as root

• If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.
• If you run the installation with root privileges, it will create a user splunk and a group splunk (if they don't exist). Splunk must either run as root or as a member of the splunk group.
• If you run the installation without root privileges, it won't attempt to create users or groups. You can run Splunk under the username you installed it as.
• If you want Splunk to run as a non-root user, and are using one of the packages (not a tarball), you can create the user and group first, run the installation as root, and then chown the resulting installation to the desired user.
• The user Splunk runs as must have access rights to read all the data inputs you define.
• Network data inputs cannot be over privileged ports, which are usually those lower than 1024 (in particular, Splunk will not be able to accept syslog over the default port of 514).
• Some files and directories may be in privileged locations, which will cause them to not be indexed.