• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Install Splunk
    • Start Splunk
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Install Splunk for lightweight forwarding
  • Install a forward-only Splunk instance on Windows
    • Overview:
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Windows installation

If you are upgrading Splunk for Windows from version 3.2.x to 3.3.x, please review the the Windows migration instructions before proceeding to the upgrade instructions.

Note: When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as. If you install Splunk as the LOCAL SYSTEM user, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. If this Splunk instance is only acting as a collector and forwarder of local data, however, this is acceptable.
Important: Changing the user Splunk runs as through the Windows Service Control Panel is not supported; Splunk will stop functioning. Make sure you define and select the user account to correctly reflect the access you want Splunk to have.

Install Splunk

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.
The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.
The Customer Information panel is displayed.

4. Enter the requested details and click Next.
The Destination Folder panel is displayed.

Note: Splunk is installed by default into the \Program Files\Splunk.

5. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.
The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk with Local System credentials, or provide a specific account. That account should have local administrator privileges, plus appropriate domain permissions if you are collecting data from other machines.

The user Splunk runs as must have permissions to:

• Run as a service.
• Read whatever files you are configuring it to monitor.
• Collect performance or other WMI data.
• Write to Splunk's directory.

Note: If you install as the Local System user, some network resources may not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Only local data collection with WMI will be available. Contact your systems administrator for advice if you are unsure what user to specify.

6. Select a user type and click Next.
If you specified the local system user, proceed to step 8. Otherwise, the Logon Information: specify a username and password panel is displayed.

7. Specify a username and password to install and run Splunk and click Next.
Note: To use an existing user, you can enter or browse for the username and domain details. However, if you cannot browse to the user you wish to use, the installation will fail. Splunk recommends that you browse to the domain and username to ensure that you select a valid user.
Important: This panel currently contains a New User Information... button. This button is nonfunctional.
Important: Changing the user Splunk runs as through the Windows Service Control Panel is not supported; Splunk will stop functioning. Make sure you define and select the user account to correctly reflect the access you want Splunk to have.

The Configure Splunk Data Sources panel is displayed.

8. Check or uncheck boxes to tell Splunk what data you want monitored and indexed:

• Select which Windows event logs you want indexed
• Choose which local registry hives to monitor, and whether or not Splunk should establish a baseline snapshot for them when it starts next. Refer to the documentation about Windows registry inputs for information.
• Choose to enable WMI collection of local system data. Refer to the documentation about WMI inputs for more information.

Important: If you choose to enable baseline snapshots of your local registry hives, the next time you start Splunk, it may take a long time to start up and use significant system resources while processing the snapshot. This depends on how large your registry is, and how much of it you plan to monitor. For more information about baseline snapshots and monitoring the Windows registry, refer to Get a baseline snapshot.

The pre-installation summary panel is displayed.

9. Click Install to proceed.
The installer runs and displays the Installation Complete panel. You may see a number of warnings in a command prompt dialog box; you can safely ignore these.

10. Check the boxes to Start Splunk and Start Splunk Web now. Click Finish.
The installation completes, Splunk starts, and Splunk Web launches in a supported browser.

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme.

Start Splunk

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

• Server daemon: splunkd
• Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing

#  splunk.exe [start|stop|restart]

Note: If you do not select Start Splunk Services at installation, they will be set to manual startup and therefore will not start after a reboot. You must start them from the Windows Service Manager MMC, and optionally configure auto-start if you want them to start automatically at boot time.

Note: If you chose not to index one or more of the Windows event logs by unchecking the box(es) at the end of the installation process, and want to begin indexing later, edit $SPLUNK_HOME/etc/system/local/inputs.conf as described in Configure inputs via inputs.conf.

Important: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, open a Web browser and navigate to http://localhost:8000. Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you're ready to use Splunk, refer to the User Manual and begin with the Splunk Tutorial.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.