• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Choosing the user Splunk should run as
    • Install Splunk via the GUI installer
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Windows installation via the commandline
    • Supported flags
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
  • Install Splunk Enterprise Manager
• Splunk forwarder, light forwarder, and other configurations
  • Enable the Splunk forwarder or light forwarder
    • What's different about the Splunk light forwarder?
    • What's different about the Splunk forwarder?
    • Read this before you enable Splunk forwarder or light forwarder
    • Licensing for Splunk forwarder and light forwarder
    • Enable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Commandline installation for Splunk forwarder or light forwarder on Windows
    • Silent commandline install of Splunk light forwarder
    • Commandline install of Splunk forwarder as the LocalSystem user
  • Enable Splunk desktop configuration
    • What's different about Splunk desktop?
    • Enable via Splunk Web
    • Disable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Enable the Splunk light forwarder via the deployment server
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Before you install

Before installing Splunk on your system:

• Read the system requirements.
• Check the release notes for details on known and resolved issues.
• Refer to the download page for the latest version to download.
• If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Some platform-specific installers come in both a package form and a tarball. Follow the instructions for your specific package or tarball.

Installing as root

Splunk must run as root or as a member of the splunk group. When installing from any type of package manager that isn't a tarball, you must install as root. When you install Splunk with root privileges, it creates the user splunk and group splunk (if they do not already exist). If you do not install Splunk with root privileges, it won't attempt to create users or groups.

Splunk can run as any user on the local system. However, the user Splunk runs as must have access rights to read all the data inputs you define. Keep in mind that some files and directories may be in privileged locations and therefore will not be indexed if you don't have the correct ownership settings.

Running Splunk on Windows

To install Splunk, you must have local administrator privileges in order to bind the ports required for splunkd to splunkweb communication. During the install process, you will have the option to select which account splunkd and splunkweb will run as consistently.

Splunk strongly recommends that you run Splunk as the local system account if you do not need to collect data from other machines

If you would like to collect data from additional machines remotely - for example, WMI polling of event logs, or collection IIS logs through a file share - you must install Splunk using a domain service account that you create. This account needs administrator-like permissions on the local box, and sufficient privileges on the target machines to collect your desired data. For more information on WMI polling permission setting, please refer to the WMI documentation.

You can run Splunk as another account besides local system or the local administrator. However, you must grant the following rights to the service account:

• Full control over Splunk's installation directory
• Read access to any flat-file directory (to read whatever files you are configuring it to monitor).
• Permission to log on as a service
• Permission to log on as a batch job.
• Replace a process-level token.
• Permission to act as part of the operating system.
• Permission to bypass traverse checking.

You must allow this account additional, specific permissions if you want to collect the registry or event logs.

Splunk Web's service does not require as many permissions as splunkd to function, and can be safely reduced to:

• Full control over Splunk's install directory
• Log on as a service

Note: It is possible to change the account under which both splunkd and splunkweb run using the change user CLI command.

Disabling update checker

Splunk Web is configured to check for new versions of itself. If you are running Splunk on a LAN that is not connected to the rest of the Web, you will want to disable this feature.

What ports Splunk uses

Splunk uses two network ports by default; ports 8000 (Splunk Web) and 8089 (management port) are opened initially. You can also enable SSL for Splunk Web after you install.

What gets installed

For a complete list of files that Splunk installs, refer to the file manifest for your platform, located in $SPLUNK_HOME, at the same level as the /etc directory.

Advanced installation topics

Before you start Splunk for the first time, review the topics under Advanced Installation. The topics include configuring Splunk to start at boot time, bind to an IP, and run as a non-root user.