• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Install Splunk
    • Start Splunk
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Install Splunk for lightweight forwarding
  • Install a forward-only Splunk instance on Windows
    • Overview:
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Run Splunk as non-root user

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:

• Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
• Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
• Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).

Note: Splunk will not accept syslog data over port 514 (the default listening port for UDP). This does not mean that Splunk cannot listen on UDP 514; you can add UDP 514 as a data input.

Instructions

To run Splunk as a non-root user, you need to first install Splunk as root. Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user, splunk.

1. Create the user and group, splunk.
For Linux, Solaris, and FreeBSD:

useradd splunk
groupadd splunk

For Mac OS:
You can use the System Preferences > Accounts panel to add users and groups.

2. As root and using one of the packages (not a tarball), run the installation.
Important: Do not start Splunk yet.

3. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user.

chown -R splunk $SPLUNK_HOME/

Note: $SPLUNK_HOME refers to installation directory of Splunk.

4. Start Splunk.

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk as the splunk user while you are logged in as a different user, you can use the sudo command:

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

• If Splunk is installed in an alternate location, update the path in the command accordingly.
• Your system may not have sudo installed. If this is the case, you can use su.
• If you are installing using a tarball and want Splunk to run as a particular user (such as splunk), you must create that user manually.
• The splunk user will need access tp /dev/urandom to generate the certs for the product.

Solaris 10 privileges

When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk