• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Choosing the user Splunk should run as
    • Install Splunk via the GUI installer
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Windows installation via the commandline
    • Supported flags
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
  • Install Splunk Enterprise Manager
• Splunk forwarder, light forwarder, and other configurations
  • Enable the Splunk forwarder or light forwarder
    • What's different about the Splunk light forwarder?
    • What's different about the Splunk forwarder?
    • Read this before you enable Splunk forwarder or light forwarder
    • Licensing for Splunk forwarder and light forwarder
    • Enable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Commandline installation for Splunk forwarder or light forwarder on Windows
    • Silent commandline install of Splunk light forwarder
    • Commandline install of Splunk forwarder as the LocalSystem user
  • Enable Splunk desktop configuration
    • What's different about Splunk desktop?
    • Enable via Splunk Web
    • Disable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Enable the Splunk light forwarder via the deployment server
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Windows installation via the commandline

Important: By default, starting with version 3.4 of Splunk, Splunk for Windows is installed with the Splunk Desktop application configuration pre-enabled. You can change this by either specifying another application using the SPLUNK_APP flag when installing via the commandline as described in this topic, or by disabling the SplunkDesktop application after you have completed the installation process.

If you are upgrading Splunk for Windows from version 3.2.x to 3.3.x or later, please review the the Windows migration instructions before proceeding to the upgrade instructions.

You can install Splunk for Windows using the MSI on the commandline by typing the following:

msiexec.exe /i Splunk.msi 

This section lists the available flags for doing this, as well as provides a few examples of doing this in various configurations.
You can specify

• which Windows event logs to index or not
• which Windows registry hive to monitor
• which WMI information to pull
• the user Splunk runs as (be sure the user you specify has the appropriate permissions to access the content you want Splunk to index)
• an included application configuration for Splunk to enable (such as the Splunk light forwarder)
• whether or not Splunk should start up automatically when the installation is completed

Important: If you are enabling the Splunk forwarder, Splunk will start automatically; this cannot be overridden.

Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.

Supported flags

The following is a list of the flags you can use when installing Splunk for Windows via the commandline.
Note: To run the installation silently, add /quiet to the end of your string.

Use this flag to specify directory to install. Default is c:\program files\splunk.

• INSTALLDIR=<directory_path>

Use these flags to specify whether or not Splunk should index a particular Windows event log. All three are set to 1 (on) by default.

• WINEVENTLOGAPPCHECK=1/0
• WINEVENTLOGSECCHECK=1/0
• WINEVENTLOGSYSCHECK=1/0

Use these flags to specify whether or not Splunk should index the Windows registry USER hive. By default these are set to 0 (off).

• REGISTRYCHECK_U=1/0
• REGISTRYCHECK_BASELINE_U=1/0

Use these flags to specify whether or not Splunkshould index the Windows registry LocalMachine hive. By default, these are set to 0 (off).

• REGISTRYCHECK_LM=1/0
• REGISTRYCHECK_BASELINE_LM=1/0

Use these flags to specify which WMI performance information to index. These are set to 0 (off) by default.

• WMICHECK_DISK=1/0
• WMICHECK_MEMORY=1/0
• WMICHECK_SPLUNKD=1/0

Use this flag to specify a user Splunk should run as. Supported values are: 1 for the LocalSystem user and 2 for a different user. The default value is 1.

• RBG_LOGON_INFO_USER_CONTEXT=1/2

Use these flags to provide username, password, and group membership information for the user specified in RBG_LOGON_INFO_USER_CONTEXT

• IS_NET_API_LOGON_USERNAME="<username>"
• IS_NET_API_LOGON_PASSWORD="<pass>"
• IS_NET_API_LOGON_GROUP="<group name>"

Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder, SplunkForwarder, SplunkDesktop. Refer to the documentation about the Splunk forwarder, light forwarder, and desktop configuratins for more information. If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".

• SPLUNK_APP=<SplunkApp>

Note: By default, Splunk enables the Splunk desktop application configuration when you install on Windows. You can change this by either specifying another application using the SPLUNK_APP flag, or by disabling the SplunkDesktop application after you have completed the installation process. To install Splunk with no applications at all, specify this flag but leave the value empty (SPLUNK_APP= .

Use this flag *only* when you are also using SPLUNK_APP to enable either the Splunk forwarder or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.

• FORWARD_SERVER="<server:port>"

Use this flag to specify whether or not Splunk should start up automatically when the installation completes. The default value is 1 (on).

• LAUNCHSPLUNK=0/1

Important: If you are enabling the Splunk forwarder, Splunk will start automatically; this cannot be overridden.

Install Splunk to run as LocalSystem:

msiexec.exe /i Splunk.msi RBG_LOGON_INFO_USER_CONTEXT=1

Install Splunk to run as another user in the system or domain:

Note: If you pick this option, you MUST provide a username and password.

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="splunk" IS_NET_API_LOGON_PASSWORD="splunk123" IS_NET_API_LOGON_GROUP="AD"

Specify the username and the group/domain the user belongs to:

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="AD\splunk" IS_NET_API_LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode:

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>"  WINEVENTLOGSYSCHECK=0 /quiet

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

• Click the Splunk icon in Start>Programs>Splunk

or

• Open a Web browser and navigate to http://localhost:8000.

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you're ready to use Splunk, refer to the User Manual and begin with the Splunk Tutorial.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.
You can also use msiexec from the commandline.