• About Preview
  • About Preview
    • Welcome to Splunk Preview!
    • Installing Splunk Preview
    • Preview license information
    • Important changes in Splunk Preview
    • About Splunk Preview documentation
    • Developers involved
    • Tell us what you think
  • Known Issues in this Preview
    • General issues
    • Windows-specific issues
• New Splunk Web features
  • Changes to Splunk Web
    • Dashboard elements
    • Admin navigation
• New search-related features
  • crawl
    • Use crawl
    • Save a crawl
    • Configure crawl
    • Command syntax
    • Arguments
    • Examples
    • crawl.conf
  • Search command: addinfo
    • Syntax
    • Arguments
    • Examples
  • Search command: collect
    • Syntax
    • Arguments
    • Examples
  • Search command: eventstats
    • Syntax
    • Arguments
    • Examples
  • Search command: makemv
    • Syntax
    • Arguments
    • Examples
  • Search command: mvcombine
    • Syntax
    • Arguments
    • Examples
  • Search command: mvexpand
    • Syntax
    • Arguments
    • Examples
  • Search command: nomv
    • Syntax
    • Arguments
    • Examples
  • Search command: overlap
    • Syntax
    • Arguments
    • Examples
  • Search command: rawstats
    • Syntax
    • Arguments
    • Examples
• New reporting features
  • Summary indexing
    • How summary indexing works
    • Search commands useful to summary indexing
    • How to configure summary indexing
  • Configure summary indexing
    • Set up summary indexing via Splunk Web
    • Configure summary indexing via savedsearches.conf
    • Other configuration files affected by summary indexing
  • Best practices for summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• New application and configuration features
  • Applications
    • View and manage applications
    • Browse SplunkBase
  • Indexes
    • View and manage indexes
    • Create new index
  • Configuration file architecture changes
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• New Windows features
  • Install Splunk on Windows
    • Start Splunk
    • Install or upgrade license
    • Uninstall Splunk
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
    • Hear from the developers!
  • WMI input
    • Security and remote access considerations
    • Configure WMI input
    • Source and source type for WMI data
    • Hear from the developers!

Install Splunk on Windows

The installation steps for Splunk for Windows have changed to accomodate the new WMI and registry monitoring functionality. This is the updated procedure.

Note: When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as. If you install Splunk as the LOCAL SYSTEM user, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections.

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.
The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.
The Customer Information panel is displayed.

4. Enter the requested details and click Next.
The Destination Folder panel is displayed.

Note: Splunk is installed by default into the \Program Files\Splunk.

5. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.
The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk as the local system user, or as a user with additional credentials.
The user Splunk runs as must have permissions to:

• Run as a service
• Read whatever files you are configuring it to monitor
• Write to Splunk's directory

Note: If you install as the local system user, some network resources may not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Contact your systems administrator for advice if you are unsure what user to specify.

6. Select a user type and click Next.
If you specified the local system user, proceed to step 8. Otherwise, the Logon Information: specify a username and password panel is displayed.

7. Specify a username and password to install and run Splunk and click Next.

• To create a new user for Splunk to use, click New User Information... and specify details.
• To use an existing user, enter or browse for the username and domain details.

The Configure Splunk Data Sources panel is displayed.

8. Check or uncheck boxes to tell Splunk what data you want monitored and indexed:

• Select which Windows event logs you want indexed
• Choose which local registry hives to monitor, and whether or not Splunk should establish a baseline snapshot for them when it starts next. Refer to the documentation about Windows registry inputs for information.
• Choose to enable WMI collection of local system data. Refer to the documentation about WMI inputs for more information.

Important: If you choose to enable baseline snapshots of your local registry hives, the next time you start Splunk, it may take a long time to start up and use a lot of system resources while processing the snapshot. This depends on how large your registry is, and how much of it you plan to monitor. For more information about baseline snapshots and monitoring the Windows registry, refer to Get a baseline snapshot.

The pre-installation summary panel is displayed.

9. Click Install to proceed.
The installer runs and displays the Installation Complete panel.

10. Check the boxes to run Splunk and Splunk Web now. Click FInish.

Start Splunk

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

• Server daemon: splunkd
• Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing

#  splunk.exe [start|stop|restart]

Note: If you chose not to index one or more of the Windows event logs by unchecking the box(es) at the end of the installation process, and want to begin indexing later, edit $SPLUNK_HOME/etc/bundles/local/inputs.conf as described in Configure inputs via inputs.conf.

Important: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.