• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Install Splunk
    • Start Splunk
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
• Install Splunk Toolbar
  • Install Splunk Toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk Toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Solaris 10 privileges
  • Disable update checker
  • Install Splunk for lightweight forwarding
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin are not saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Linux installation

This topic will guide you through installing or upgrading Splunk on the Linux platform.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The Linux build comes in three forms: RPM, DEB, and tarball.

RedHat, RPM install

To upgrade an existing Splunk installation using the RPM:

rpm -U splunk_package_name.rpm

To install the Splunk RPM from scratch, in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to your kickstart file:

./splunk start --accept-license
./splunk enable boot-start 

Note: The second line is optional for the kickstart file. Read more about Configuring Splunk to start at boot time.

To verify the RPM package signature, refer to our PGP public key.

Debian, DEB install

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location, /opt/splunk.

Important: There is an issue with the 3.3 Debian package resulting in errors when you try to start Splunk. To work around this issue, once you've run the installer, edit /var/lib/dpkg/info/splunk.postinst and modify line 13 by adding a / before opt (SPLUNK_HOME="/opt/$PRODUCT". Then run the script: sh /var/lib/dpkg/info/splunk.postinst . This completes the installation and you can then start Splunk.
This issue will be resolved in the next maintenance release.

Tarball install

To install Splunk on a Linux system, expand the tarball into an appropriate directory. The default install directory is /opt/splunk.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

• hostname is the host machine.
• port is the port you specified during the installation (the default port is 8000).

2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.

RedHat Linux

To uninstall from RedHat Linux

rpm -e splunk_product_name

Debian Linux

To uninstall from Debian Linux:

dpkg -r splunk

To purge (delete everything, including configuration files):

dpkg -P splunk