This document last updated: 10/06/08 09:10am

Print Installation Manual

Read This First

Before you install

The 3.0 and 3.0.1 releases do not support automated migration from prior releases. Do not attempt this or you may overwrite your configuration files. Install and try the release in a separate file path with different ports. If you wish to migrate now, read about manual migration instructions.

System Requirements

Please check the release notes and download page for details on known issues.

Host Operating System

• Linux 2.6+ kernel Linux distributions (32-bit and 64-bit) and major 2.4+ kernel Linux distributions with NPTL (32-bit only)
• Solaris 8, 9 & 10 / Sparc
• Solaris 9 & 10 / x86
• Mac OS X 10.4 / PPC & x86
• FreeBSD 6.1 or later

Client Operating System / Browser

• Linux: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Mac OS X: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Windows: Internet Explorer 6 or 7 or Firefox 1.5 or 2.0; Adobe Flash 9 or higher

You can verify your installed version of Flash here

Server Hardware

• 32 and 64-bit architectures are supported.

File System

• Linux - ext2/3, reiser3, XFS
• Solaris - UFS, ZFS, VXFS
• FreeBSD - FFS, UFS
• Mac - HFS
• Note: Most other file systems are supported.
• Note: Running Splunk on a filesystem not listed above may result in a startup function named "locktest" being executed by Splunk. "Locktest" is a program that independently tests the start up process.//

• Running "locktest":
  • From the SPLUNK_HOME directory, source in the Splunk environment (bash . bin/setSplunkEnv). This assumes that setSplunkEnv has been properly configured.
  • Run "locktest". If its successful, Splunk supports the file system. If it is unsuccessful, contact support (support@splunk.com).

Minimum

• 1x1.4 gHz CPU, 1 GB RAM on any modern OS
• 100 MB free disk space

Recommended

• 2x3.4 gHz CPU, 4 GB RAM
• Running Splunk in virtual machine (VM) mode will degrade performance.

Storage

• 12-50% of raw data size depending on indexing configuration and data source.

FreeBSD

To ensure that Splunk functions properly on FreeBSD ensure you have the following /boot/loader.conf:

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0 

What Gets Installed

• Installation will require 100MB of disk space.
• Storing your indexed data will require 25-50% of the raw data size depending on the type of data and how you configure Splunk.
• The installation creates a home directory for Splunk - by default /opt/splunk .
• If you change the home directory location during installation and it doesn't end in /splunk , the installer will create a splunk subdirectory to avoid overwriting existing directories.
• You can install multiple copies of Splunk on the same host.
• Splunk allocates two network ports. By default only port 8000 (for HTTP or HTTPS), and 8089 (SOAP) are opened. The HTTPS port can be configured after installation.
• The Splunk Toolbar gets installed in SPLUNK_HOME/share/splunk/extras/splunkbar/splunkbar.xpi
• If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.
• If you run the installation with root privileges, it will create a user splunk and a group splunk (if they don't exist). In this case, Splunk must either run as root or as a member of the splunk group.
• If you run the installation without root privileges, it won't attempt to create users or groups. You can run Splunk as the username you installed it as.
• If you want Splunk to run as a non-root user, and are using one of the packages (not a tarball), you can create the user and group first, run the installation as root, and then chown the resulting installation to the desired user.
• For a complete list of files that are installed, check out the file manifest for your install.

Step by Step Installation

Step 1: Unpack the software

Platform-specific installers come in both a package form and a tarball. The Linux build comes in three forms: RPM, deb and tarball. The FreeBSD installer and tarball are both .tgz files. 5.4-intel is the installer, i386 is the tarball.

Follow the instructions for your specific package or tarball.

RPM

Basic install:

rpm -i splunk-2.1-0.i386.rpm

Override the default installation directory /opt/splunk:

rpm -i --prefix=/opt/splunk2.1/splunk  splunk-2.1-0.i386.rpm

If you would like to verify the rpm package signature, you can find our GPG public key here.

deb

Basic install:

dpkg -i splunk-2.1-linux-2.6-intel.deb

The Splunk deb package currently cannot be installed in a directory other than its default, /opt/splunk.

Uninstall:

dpkg -r splunk

Purge (delete everything, even config files):

dpkg -P splunk

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

FreeBSD

Basic install:

pkg_add splunk-2.1-freebsd-5.4-intel.tgz

Override the default installation directory /opt/splunk:

pkg_add -v -p /usr/splunk splunk-2.1-freebsd-5.4-intel.tgz

Uninstall:

pkg_delete splunk

Uninstall from a non-default directory:

pkg_delete -p /usr/splunk splunk

Splunk package info:

pkg_info -L splunk

List all packages:

pkg_info

Other modifications for BSD

You need this in /boot/loader.conf:

kern.maxdsiz=\"2147483648\" # 2GB
kern.dfldsiz=\"2147483648\" # 2GB

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0

Mac OS

Basic install:

1. Double-click on splunk.pkg

Override the default installation directory /Applications/splunk:

• When the installer gets to the Select Destination dialog, click Choose... to select a directory other than /Applications

Command-line install:

installer -pkg splunk.pkg

Command-line install to a different disk or partition:

installer -pkg splunk.pkg -target /Volumes/LaCie\ Disk

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk .
To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

Solaris

Basic install:

pkgadd -d splunk.pkg

Override the default installation directory /opt/splunk:

pkgadd -a none -d splunk.pkg 

And then specify the new package base directory when prompted.

Uninstall:

pkgrm splunk

Splunk package info:

pkginfo -l splunk

List all packages:

pkginfo

Step 2: Start Splunk

1. Start the server

/opt/splunk/bin/splunk start

The first time you run a new installation, you will be prompted with a license agreement. You must accept the license terms to continue to use Splunk.

Splunk can run as any user on the local system. If you run Splunk as a non-root user you will need to ensure that Splunk has the appropriate permissions to read the inputs that you specify.

The first time you start splunk after a new installation, you will be presented with the license agreement and asked to accept the license. If you want to bypass these steps, you can start splunk and accept the license in one step:

 /opt/splunk/bin/splunk start --accept-license

Please note: there are two dashes before the accept-license option.

2. Load the Splunk GUI in your browser

http://mysplunkhost:8000
(or whatever host and port you installed)

(Use username "admin" and password "changeme" to login to your new Splunk installation for the first time.)

3. Set up one or more data inputs

The first time you browse a new installation, you will see a Guided Setup tool that helps you set up data inputs, licenses, and other configuration options. Alternately, you can configure data inputs from the command line. Below is a typical example.

/opt/splunk/bin/splunk add tail /var/log

Your Splunk Server should show indexed data on its home page immediately after you add a data input. As soon as you see a number greater than "0 events" listed on the server's home page, you're ready to start Splunking!

Step 3: Install your license

If you are performing a new installation of Splunk or switching from one license type to another (for example from Free to Enterprise), you must update your license. You can update your license from the CLI or SplunkWeb interface.

• If you are installing a new Splunk enterprise license for the first time, you will need to log in with the default administrator account: username "admin" and password "changeme".

• You must obtain your license from the email that you received from splunk.com after you signed up for a free trial or purchased Enterprise Splunk.
• You must have a separate license for every instance of Enterprise Splunk that you deploy.

Note: This is for splunk 3.0 and 3.1, for earlier versions, see 2.2.3 instructions.

Using SplunkWeb

1. Gather your Splunk license from the email sent to you by Splunk.
2. Start Splunk
3. Start Splunkweb from inside a web browser. Type in the http:// address given by Splunk when you started it. The address should be: http://<servername>:8000, where 8000 is the default port.
4. Navigate through SplunkWeb and find the "admin" in the upper right corner. Click it.
5. Go to the Admin -> License & Usage -> Change license interface tab. Paste your new license into the text box.
6. Go to the Admin -> Server -> Control tab. Restart the Splunk Server.

From the command line

1. Navigate to the splunk.license file, located in the ./etc/ directory of the Splunk home directory.
2. Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

cp -p splunk.license /opt/splunk/etc/

When the correct license is in place, start or restart the Splunk Server.

/opt/splunk/bin/splunk restart

Install Splunk Toolbar

How to Install the Splunk toolbar for Firefox

Splunk toolbar for Firefox is available from the following locations:

1. Splunk.com download page
2. In the following Splunk server directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install from download page

• On the download page, click the link splunktoolbar.xpi
• You'll see a warning message, stating that Firefox prevented this site from asking you to install software. This is expected behavior.
• Click the Edit Options... button
• In the Allowed Sites dialog, click the Allow button.

• www.splunk.com will be listed as a trusted site. Close the dialog box.
• Firefox will now ask you whether you want to install the toolbar. Click Install Now. If the dialog box below does not appear, refresh the browser page.

• You will be the dialog box below. Click Restart Firefox to complete installation.
• Toolbar will be installed. You should see it visible below Firefox's address bar, and also in Firefox's Tools > Add-ons menu

Install from Splunk server

• In Firefox, select menu command File > Open File...
• Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/splunktoolbar.xpi
• Firefox will now ask you whether you want to install the toolbar. Click Install Now.

• Restart Firefox
• Toolbar will be installed. You should see it visible below Firefox's address bar, and also in Firefox's Tools > Add-ons menu

Uninstall Splunk toolbar

1. Start Firefox
2. In Firefox, select menu command Tools > Add-ons
3. Splunk Toolbar will be one of the items listed. Click the Uninstall button.
4. Follow prompts
5. Restart Firefox
6. Toolbar will be gone from Firefox. You can verify by checking Firefox's Tools > Add-ons menu

How to install the Splunk toolbar for Internet Explorer

Splunk toolbar is available from the following locations:

1. Splunk.com download page
2. In the following Splunk directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install Internet Explorer toolbar from download page

• On the download page, click the link 1
• Using Internet Explorer you might see a warning message, stating that Internet Explorer blocked this site from downloading files. This is expected behavior.
• Click on the information bar at the top of the page
• In the drop-down menu, click the "Download File..." link

• Internet Explorer will now ask you whether you want to save or open the file. Click Run.

• For the Security warning window, Click Run

• At this point you may see a warning that you need to install the .NET Framework. Click Yes to continue the .NET install. You can also visit the Microsoft .NET site to complete the install. If you don't see this message, continue on to the next step.

• Toolbar installation wizard will be then launched. Follow the instructions of the wizard:

• You should see the Splunk toolbar visible below Internet Explorer's address bar, and also in View > Toolbars menu

Install toolbar in Internet Explorer

• In Internet Explorer, select menu command File > Open File...
• Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/SplunkIEToolbarSetup.msi
• Internet Explorer will now ask you whether you want to download the file. Follow the instructions above to install the toolbar.

• You should see the Splunk toolbar visible below Internet Explorer's address bar, and also in View > Toolbars menu

Uninstall Internet Explorer toolbar

1. In Start menu choose Control Panel > Add or Remove programs
2. In the list of currently installed programs select Splunk toolbar for Internet Explorer

1. Follow prompts
2. Toolbar will be gone from Internet Explorer. You can verify by checking Internet Explorer's View > Toolbars menu

Advanced Installation Topics

Automated installation

We are still working on this topic for 3.0.

Configure Splunk to Start at System Startup

Starting with version 3.1.1, Splunk provides a utility that will update your system boot configuration so that Splunk starts when the system boots up. This utility will create a suitable init script (or make a similar configuration change, depending on your OS).

As root, run
splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run
splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run
splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

If you are using a version that is older than 3.1.1, refer to the README in $SPLUNK_HOME/etc/init.d for instructions on how to modify your startup configuration so that Splunk starts up at boot time.
If Splunk is running as non-root, you must modify the startup script to use sudo. See Running as a non root user for more information.
Note: This is only true for versions older than 3.1.1. The boot-start command does this automatically with the -user flag.

License Management

Note: Splunk 3.0 has a new license format. Your Splunk 2.x license will not work with Splunk 3.0. Contact splunk support for a new license.

All Splunk Servers have a license in the subdirectory $SPLUNK_HOME/etc/splunk.license. There are two types of license; the Splunk Free license and the Splunk Enterprise license. Enterprise enables higher volume indexing and additional features. You must purchase a separate license for every instance of Enterprise Splunk that you deploy.

When you first install Splunk, you are allowed to run unlicensed for 30 days. After that you are asked to obtain a Free or Enterprise license. The free license simply requires you to register with Splunk. You are prompted to register when you first install and when you run Splunk unlicensed.

Example of a Splunk license:

user@company.com;EQ/GQXW/J7u9VLJShPsW4m8yi+5a+geRrof4Bep70j32xsBpq
JItM5pdntRfl4auply366BAjTMnfTB6JyzJOZLplyBQijk02fQjgKjakl0ol4N5G6Wr09ufnS
e3iOXVAay24hzFfgDkaijOnkoGOPJqnHaVzaWC9dxIuKUvDPt3UcKTkDv0GkaQ4EZ
xAvZKAFImvOF4PmDoNaMiBgLLkWibGhezFTTDh10PLl9kyeVThGzAyN23J512pVM
3xqNIg3pFcd2aJf31xspt1HRdSwofkfnuCVpzildy3qMbae4g85KpCfND+aJ6z2LoUu3
RQ4OV4SpxMXEZ4PgSGZ6dwA==

Installing or updating a license

If you are performing a new installation of Splunk or switching from one license type to another (for example from Free to Enterprise), you must update your license. You can update your license from the CLI or SplunkWeb interface.

• If you are installing a new Splunk enterprise license for the first time, you will need to log in with the default administrator account: username "admin" and password "changeme".

• You must obtain your license from the email that you received from splunk.com after you signed up for a free trial or purchased Enterprise Splunk.

Installing or updating a license using SplunkWeb (using a web browser)

1. Start Splunkweb from inside a web browser.
2. Go to the Admin -> License & Usage -> Change license interface tab. Paste your new license into the text box.
3. Go to the Admin -> Server -> Control tab. Restart the Splunk Server.

From the command line

1. Navigate to the splunk.license file, located in the ./etc/ directory of the Splunk home directory.
2. Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

cp -p splunk.license /opt/splunk/etc/

1. When the correct license is in place, start or restart the Splunk Server.

/opt/splunk/bin/splunk restart

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files not originally installed by the package will be retained. This usually means your configuration and index files, which are under the same directory (default /opt/splunk) as the rest of the installation by default.

RedHat Linux

# rpm --e splunk-2.1-0

Debian Linux

# dpkg -r splunk

Solaris

# pkgrm splunk

FreeBSD

# pkg_delete splunk

In most cases, files not originally installed by the rpm package will be retained. This usually means the configuration and index files, which are under the same directory (default ///opt/splunk) as the rest of the installation by default.

Manual uninstall

If you can't use package management commands, these commands will remove the installed components except for any init scripts that have been created.

1. First, find and kill any process with "splunk" in its name.
   • For Linux and Solaris: kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
   • For FreeBSD and Mac OS: kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
2. rm -rf /opt/splunk (or wherever you installed Splunk)
3. rm -rf /opt/splunkdata (if a datastore or indexes outside the top-level directory exist)
4. userdel splunk
5. groupdel splunk

Help

Getting Help

Accessing help in SplunkWeb

SplunkWeb has a button labeled Help in its upper right corner. Click this button to pop up a set of help pages.

Accessing help in the command line (CLI)

From the command line on your Splunk Server host, type this command.

/opt/splunk/bin/splunk help 

How can I learn more about Splunk's advanced features?

The best way to explore advanced features is to take the tutorial

You can also explore the command line interface using its inline help. Type $SPLUNK_HOME/bin/splunk help to get started.

I lost my Splunk.com password. What do I do?

Use the recover password feature of the site to have your username and/or password emailed to the address on record.

How do I report problems?

Submit your issue with on our online case submission form or email us at support@splunk.com.

How can I make suggestions?

You can always send an email to our support team at support@splunk.com. Also check out our Live Roadmap where you can vote on upcoming features.

I have some questions that aren't answered here. Where can I get help?

Start with our Documentation.

For help from experienced Splunkers, come to our Forums.

For help -- yes, it's free! -- from the Splunk Support team, submit an online support case (you must be a registered user and log in to use this service). You can also use our IRC support channel. The channel name is #splunk on the EFnet IRC (irc.efnet.org) network.

Splunk customers with an enterprise license get additional premium support options. For full information on our support offerings click here.

Installer options