This document last updated: 10/06/08 09:10am

Print Installation Manual

Read This First

Before you install

The 3.0.x and 3.1 releases do not support automated migration from prior releases. Do not attempt this or you may overwrite your configuration files. Install and try the release in a separate file path with different ports. If you wish to migrate now, read about manual migration instructions.

Splunk 3.1 now allows searches to contain either a double colon (::) or an equal sign (=) when using fields in a search. This change is the first step in eliminating differences in search syntax between search and extracted fields.

One result of this change is that a search for a literal containing an equal sign will require quotations around the expression with the equal sign. This may cause Saved searches to stop working. Before you install Splunk 3.1, you should examine your saved searches and modify as needed. See the 3.1 change logs for a complete list of new features and known problems in this release.

System Requirements

Please check the release notes and download page for details on known issues.

Host Operating System

• AIX 5.2 and 5.3
• AIX 5.4 has not yet been tested by Splunk. If you wish to give it a try, please try it on a test server and send us feedback.
• Linux 2.6+ kernel Linux distributions (32-bit and 64-bit) and major 2.4+ kernel Linux distributions with NPTL (32-bit only)
• Solaris 8, 9 & 10 / Sparc
• Solaris 9 & 10 / x86
• Mac OS X 10.4 / PPC & x86
• FreeBSD 6.1 (6.2 for 64-bit versions) or later

Client Operating System / Browser

• AIX, BSD and Linux: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Mac OS X: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Windows: Internet Explorer 6 or 7 or Firefox 1.5 or 2.0; Adobe Flash 9 or higher

You can verify your installed version of Flash here

Server Hardware

• 32 and 64-bit architectures are supported for some platforms. See the download page page for details.

File System

• Linux - ext2/3, reiser3, XFS
• Solaris - UFS, ZFS, VXFS
• FreeBSD - FFS, UFS
• Mac - HFS
• AIX - JFS, JFS2, NFS 3/4
• Note: Most other file systems are supported.
• Note: Running Splunk on a filesystem not listed above may result in a startup function named "locktest" being executed by Splunk. "Locktest" is a program that independently tests the start up process.//
• Running "locktest":
  • From the SPLUNK_HOME directory, source in the Splunk environment (bash . bin/setSplunkEnv). This assumes that setSplunkEnv has been properly configured.
  • Run "locktest". If its successful, Splunk supports the file system. If it is unsuccessful, contact support (support@splunk.com).

Minimum

• 1x1.4 GHz CPU, 1 GB RAM on any modern OS
• 100 MB free disk space

Recommended

• 2x3.4 GHz CPU, 4 GB RAM
• Running Splunk in virtual machine (VM) mode will degrade performance.

Storage

• For standard syslog data up to 50% of raw data size. (Tunable to 12% with lower indexing density.)
• For other data sources your compression rates may be lower and your storage requirements may be higher.
• Faster drives give better search performance.
• For more information on ways to reduce your index density click here

FreeBSD

To ensure that Splunk functions properly on FreeBSD ensure you have the following /boot/loader.conf:

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0 

Installing as root

• If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.
• If you run the installation with root privileges, it will create a user splunk and a group splunk (if they don't exist). Splunk must either run as root or as a member of the splunk group.
• If you run the installation without root privileges, it won't attempt to create users or groups. You can run Splunk under the username you installed it as.
• If you want Splunk to run as a non-root user, and are using one of the packages (not a tarball), you can create the user and group first, run the installation as root, and then chown the resulting installation to the desired user.
• The user Splunk runs as must have access rights to read all the data inputs you define.
• Network data inputs cannot be over privileged ports, which are usually those lower than 1024 (in particular, Splunk will not be able to accept syslog over the default port of 514).
• Some files and directories may be in privileged locations, which will cause them to not be indexed.

What Gets Installed

• Installation will require 100MB of disk space.
• Storing your indexed data will require 25-50% of the raw data size depending on the type of data and how you configure Splunk.
• The installation creates a home directory for Splunk - by default /opt/splunk .
• If you change the home directory location during installation and it doesn't end in /splunk , the installer will create a splunk subdirectory to avoid overwriting existing directories.
• You can install multiple copies of Splunk on the same host.
• Splunk allocates two network ports. By default only port 8000 (for HTTP or HTTPS), and 8089 (SOAP) are opened. The HTTPS port can be configured after installation.
• The Splunk Toolbar gets installed in SPLUNK_HOME/share/splunk/extras/splunkbar/splunkbar.xpi
• If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.
• If you run the installation with root privileges, it will create a user splunk and a group splunk (if they don't exist). In this case, Splunk must either run as root or as a member of the splunk group.
• If you run the installation without root privileges, it won't attempt to create users or groups. You can run Splunk as the username you installed it as.
• If you want Splunk to run as a non-root user, and are using one of the packages (not a tarball), you can create the user and group first, run the installation as root, and then chown the resulting installation to the desired user.
• For a complete list of files that are installed, check out the file manifest for your install.

Step by Step Installation

Step 1: Unpack the software

Some platform-specific installers come in both a package form and a tarball. The Linux build comes in three forms: RPM, deb and tarball. The FreeBSD installer and tarball are both .tgz files. 5.4-intel is the installer, i386 is the tarball. The AIX install comes in tarball form only. We plan to release a native install package in a later release.

Follow the instructions for your specific package or tarball.

Note: If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.

Tarball

Note:If you are installing using the tarball, Splunk does not create the Splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.

1. Unpack the tarball into an appropriate directory. Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
2. Then, edit ./bin/setSplunkEnv to set the value of $SPLUNK_HOME to that directory.
3. If you have a Splunk enterprise license, replace ./etc/splunk.license with your license.
4. Start the server with the command ./bin/splunk start and follow the instructions.
5. To configure Splunk to start at boot time, use the ./splunk enable boot-start command. For more information, refer to Configuring Splunk to Start at System Startup.
6. Open http://<hostname>:8000 in a browser. Your hostname and port may vary.

For AIX 5.3, make sure you are up to date on your service packs. Splunk requires the following service level:

$ oslevel -r
5300-05
$

Note: If you use the tarball installer and install in any directory other than opt/splunk, you must set your path in $Splunk_Home/bin/setSplunkEnv. Find and edit this part of the file:

# Determine Splunk home
if [ -z "${SPLUNK_HOME}" ] ; then
    # Modify the following line to suit the location of your splunk install.
    SPLUNK_HOME= $YOUR_SPLUNK_LOCATION
    [ $DEBUG -eq 1 ] && echo "Splunk home: $SPLUNK_HOME"

Set SPLUNK_HOME to your install location. For example, if you installed in home/user your path is home/user/splunk.

RPM

Basic install:

rpm -i splunk-2.1-0.i386.rpm

Override the default installation directory /opt/splunk:

rpm -i --prefix=/opt/splunk2.1/splunk  splunk-2.1-0.i386.rpm

If you would like to verify the rpm package signature, you can find our GPG public key here.

deb

Basic install:

dpkg -i splunk-2.1-linux-2.6-intel.deb

The Splunk deb package currently cannot be installed in a directory other than its default, /opt/splunk.

Uninstall:

dpkg -r splunk

Purge (delete everything, even config files):

dpkg -P splunk

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

FreeBSD

Basic install:

pkg_add splunk-2.1-freebsd-5.4-intel.tgz

Override the default installation directory /opt/splunk:

pkg_add -v -p /usr/splunk splunk-2.1-freebsd-5.4-intel.tgz

Uninstall:

pkg_delete splunk

Uninstall from a non-default directory:

pkg_delete -p /usr/splunk splunk

Splunk package info:

pkg_info -L splunk

List all packages:

pkg_info

Other modifications for BSD

You need this in /boot/loader.conf:

kern.maxdsiz=\"2147483648\" # 2GB
kern.dfldsiz=\"2147483648\" # 2GB

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0

Mac OS

Basic install:

1. Double-click on splunk.pkg

Override the default installation directory /Applications/splunk:

• When the installer gets to the Select Destination dialog, click Choose... to select a directory other than /Applications

Command-line install:

Mount the dmg:

hdid splunk_package_name.dmg

Install on the root volume:

installer -pkg splunk.pkg -target /

Command-line install to a different disk or partition:

installer -pkg splunk.pkg -target /Volumes/LaCie\ Disk

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk .
To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

Solaris

Basic install:

pkgadd -d splunk.pkg

Override the default installation directory /opt/splunk:

pkgadd -a none -d splunk.pkg 

And then specify the new package base directory when prompted.

Uninstall:

pkgrm splunk

Splunk package info:

pkginfo -l splunk

List all packages:

pkginfo

Step 2: Start Splunk

1. Start the server

/opt/splunk/bin/splunk start

The first time you run a new installation, you will be prompted with a license agreement. You must accept the license terms to continue to use Splunk.

Splunk can run as any user on the local system. If you run Splunk as a non-root user you will need to ensure that Splunk has the appropriate permissions to read the inputs that you specify.

The first time you start splunk after a new installation, you will be presented with the license agreement and asked to accept the license. If you want to bypass these steps, you can start splunk and accept the license in one step:

 /opt/splunk/bin/splunk start --accept-license

Please note: there are two dashes before the accept-license option.

2. Load the Splunk GUI in your browser

http://mysplunkhost:8000
(or whatever host and port you installed)

(Use username "admin" and password "changeme" to login to your new Splunk installation for the first time.)

3. Set up one or more data inputs

The first time you browse a new installation, you will see a Guided Setup tool that helps you set up data inputs, licenses, and other configuration options. Alternately, you can configure data inputs from the command line. Below is a typical example.

/opt/splunk/bin/splunk add tail /var/log

Your Splunk Server should show indexed data on its home page immediately after you add a data input. As soon as you see a number greater than "0 events" listed on the server's home page, you're ready to start Splunking!

Step 3: Install your license

If you are performing a new installation of Splunk or switching from one license type to another (for example from Free to Enterprise), you must update your license. You can update your license from the CLI or SplunkWeb interface.

• If you are installing a new Splunk enterprise license for the first time, you will need to log in with the default administrator account: username "admin" and password "changeme".

• You must obtain your license from the email that you received from splunk.com after you signed up for a free trial or purchased Enterprise Splunk.
• You must have a separate license for every instance of Enterprise Splunk that you deploy.

Note: This is for splunk 3.0 and 3.1, for earlier versions, see 2.2.3 instructions.

Using SplunkWeb

1. Gather your Splunk license from the email sent to you by Splunk.
2. Start Splunk
3. Start Splunkweb from inside a web browser. Type in the http:// address given by Splunk when you started it. The address should be: http://<servername>:8000, where 8000 is the default port.
4. Navigate through SplunkWeb and find the "admin" in the upper right corner. Click it.
5. Go to the Admin -> License & Usage -> Change license interface tab. Paste your new license into the text box.
6. Go to the Admin -> Server -> Control tab. Restart the Splunk Server.

From the command line

1. Navigate to the splunk.license file, located in the ./etc/ directory of the Splunk home directory.
2. Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

cp -p splunk.license /opt/splunk/etc/

When the correct license is in place, start or restart the Splunk Server.

/opt/splunk/bin/splunk restart

Install Splunk Toolbar

How to Install the Splunk toolbar for Firefox

Splunk toolbar for Firefox is available from the following locations:

1. Splunk.com download page
2. In the following Splunk server directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install from download page

• On the download page, click the link splunktoolbar.xpi
• You'll see a warning message, stating that Firefox prevented this site from asking you to install software. This is expected behavior.
• Click the Edit Options... button
• In the Allowed Sites dialog, click the Allow button.

• www.splunk.com will be listed as a trusted site. Close the dialog box.
• Firefox will now ask you whether you want to install the toolbar. Click Install Now. If the dialog box below does not appear, refresh the browser page.

• You will be the dialog box below. Click Restart Firefox to complete installation.
• Toolbar will be installed. You should see it visible below Firefox's address bar, and also in Firefox's Tools > Add-ons menu

Install from Splunk server

• In Firefox, select menu command File > Open File...
• Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/splunktoolbar.xpi
• Firefox will now ask you whether you want to install the toolbar. Click Install Now.

• Restart Firefox
• Toolbar will be installed. You should see it visible below Firefox's address bar, and also in Firefox's Tools > Add-ons menu

Uninstall Splunk toolbar

1. Start Firefox
2. In Firefox, select menu command Tools > Add-ons
3. Splunk Toolbar will be one of the items listed. Click the Uninstall button.
4. Follow prompts
5. Restart Firefox
6. Toolbar will be gone from Firefox. You can verify by checking Firefox's Tools > Add-ons menu

How to install the Splunk toolbar for Internet Explorer (beta)

Please note that this software is currently in beta version. If you encounter any problems running the software or have any comments on its functionality please feel free to contact our support team.

Splunk toolbar is available from the following locations:

1. Splunk.com download page
2. In the following Splunk directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install Internet Explorer toolbar from download page

• On the download page, click the link 1
• Using Internet Explorer you might see a warning message, stating that Internet Explorer blocked this site from downloading files. This is expected behavior.
• Click on the information bar at the top of the page
• In the drop-down menu, click the "Download File..." link

• Internet Explorer will now ask you whether you want to save or open the file. Click Run.

• For the Security warning window, Click Run

• At this point you may see a warning that you need to install the .NET Framework. Click Yes to continue the .NET install. You can also visit the Microsoft .NET site to complete the install. If you don't see this message, continue on to the next step.

* After installing the .Net framework return to Step 1 and run the toolbar installer again. Now you shouldn't see the warning message anymore.

• Toolbar installation wizard will be then launched. Follow the instructions of the wizard:

• You should see the Splunk toolbar visible below Internet Explorer's address bar, and also in View > Toolbars menu

Install toolbar in Internet Explorer

• In Internet Explorer, select menu command File > Open File...
• Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/SplunkIEToolbarSetup.msi
• Internet Explorer will now ask you whether you want to download the file. Follow the instructions above to install the toolbar.

• You should see the Splunk toolbar visible below Internet Explorer's address bar, and also in View > Toolbars menu

Uninstall Internet Explorer toolbar

1. In Start menu choose Control Panel > Add or Remove programs
2. In the list of currently installed programs select Splunk toolbar for Internet Explorer

1. Follow prompts
2. Toolbar will be gone from Internet Explorer. You can verify by checking Internet Explorer's View > Toolbars menu

Advanced Installation Topics

Automated installation

We are still working on this topic for 3.0.

Configure Splunk to Start at System Startup

Starting with version 3.1.1, Splunk provides a utility that will update your system boot configuration so that Splunk starts when the system boots up. This utility will create a suitable init script (or make a similar configuration change, depending on your OS).

As root, run
splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run
splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run
splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

If you are using a version that is older than 3.1.1, refer to the README in $SPLUNK_HOME/etc/init.d for instructions on how to modify your startup configuration so that Splunk starts up at boot time.
If Splunk is running as non-root, you must modify the startup script to use sudo. See Running as a non root user for more information.
Note: This is only true for versions older than 3.1.1. The boot-start command does this automatically with the -user flag.

Run Splunk as a non-root user

Splunk can run as any user on the local system.
If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:

• Read the files and directories it is configured to watch
  • Some log files and directories may require root or superuser access to be indexed
• Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to)
  • UDP port 514 is the port for syslog data
• Execute any scripts configured to work with your alerts or scripted input

Start Splunk as a non-root user

To run Splunk as the splunk user run the command:

sudo -H -u splunk /opt/splunk/bin/splunk start

• If Splunk is installed in an alternate location, update the path in the command accordingly.
• Your system may not have sudo installed. If this is the case, you can use su.
• If you are installing using a tarball and want Splunk to run as a particular user (such as splunk), you must create that user manually.

SELinux

If you have SELinux active on your system, you need to add splunk to the authenticated apps that can run in your SELinux environment.

To configure selinux to allow splunk to run, you need to run the
chcon command on the splunk lib directory. Here is what you type :

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null

You also need to disable the check when splunk starts by adding this line
to the $SPLUNK_HOME/bin/setSplunkEnv script

export SPLUNK_IGNORE_SELINUX=1

License Management

Note: Splunk 3.0 has a new license format. Your Splunk 2.x license will not work with Splunk 3.0. Contact splunk support for a new license.

All Splunk Servers have a license in the subdirectory $SPLUNK_HOME/etc/splunk.license. There are two types of license; the Splunk Free license and the Splunk Enterprise license. Enterprise enables higher volume indexing and additional features. You must purchase a separate license for every instance of Enterprise Splunk that you deploy.

When you first install Splunk, you are allowed to run unlicensed for 30 days. After that you are asked to obtain a Free or Enterprise license. The free license simply requires you to register with Splunk. You are prompted to register when you first install and when you run Splunk unlicensed.

Example of a Splunk license:

user@company.com;EQ/GQXW/J7u9VLJShPsW4m8yi+5a+geRrof4Bep70j32xsBpq
JItM5pdntRfl4auply366BAjTMnfTB6JyzJOZLplyBQijk02fQjgKjakl0ol4N5G6Wr09ufnS
e3iOXVAay24hzFfgDkaijOnkoGOPJqnHaVzaWC9dxIuKUvDPt3UcKTkDv0GkaQ4EZ
xAvZKAFImvOF4PmDoNaMiBgLLkWibGhezFTTDh10PLl9kyeVThGzAyN23J512pVM
3xqNIg3pFcd2aJf31xspt1HRdSwofkfnuCVpzildy3qMbae4g85KpCfND+aJ6z2LoUu3
RQ4OV4SpxMXEZ4PgSGZ6dwA==

Installing or updating a license

If you are performing a new installation of Splunk or switching from one license type to another (for example from Free to Enterprise), you must update your license. You can update your license from the CLI or SplunkWeb interface.

• If you are installing a new Splunk enterprise license for the first time, you will need to log in with the default administrator account: username "admin" and password "changeme".

• You must obtain your license from the email that you received from splunk.com after you signed up for a free trial or purchased Enterprise Splunk.

Installing or updating a license using SplunkWeb (using a web browser)

1. Start Splunkweb from inside a web browser.
2. Go to the Admin -> License & Usage -> Change license interface tab. Paste your new license into the text box.
3. Go to the Admin -> Server -> Control tab. Restart the Splunk Server.

From the command line

1. Navigate to the splunk.license file, located in the ./etc/ directory of the Splunk home directory.
2. Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

cp -p splunk.license /opt/splunk/etc/

1. When the correct license is in place, start or restart the Splunk Server.

/opt/splunk/bin/splunk restart

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files not originally installed by the package will be retained. This usually means your configuration and index files, which are under the same directory (default /opt/splunk) as the rest of the installation by default.

RedHat Linux

# rpm --e splunk-2.1-0

Debian Linux

# dpkg -r splunk

Solaris

# pkgrm splunk

FreeBSD

# pkg_delete splunk

In most cases, files not originally installed by the rpm package will be retained. This usually means the configuration and index files, which are under the same directory (default ///opt/splunk) as the rest of the installation by default.

Manual uninstall

If you can't use package management commands, these commands will remove the installed components except for any init scripts that have been created.

1. First, find and kill any process with "splunk" in its name.
   • For Linux and Solaris: kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
   • For FreeBSD and Mac OS: kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
2. rm -rf /opt/splunk (or wherever you installed Splunk)
3. rm -rf /opt/splunkdata (if a datastore or indexes outside the top-level directory exist)
4. userdel splunk
5. groupdel splunk

Upgrade Instructions

Read this first before upgrading to 3.1.x

If you are upgrading from 3.0.x to 3.1, there are no special instructions.
If you are upgrading from 2.x to 3.1.x, you must perform some additional steps to manually re-implement some of your 2.2.3 and earlier configurations using 3.0 methods.

The following describes some major changes in 3.1.x that you should understand prior to beginning the upgrade.

Form search

Search strings can now contain variables that are rendered as form elements in SplunkWeb. When used with saved searches, you can search efficiently without knowing the details of the search language. Form search simplifies searching by asking you to input exactly the parameters you are looking for, instead of a complete and potentially complex search.

Search language simplification

As a result of ongoing simplification of the search language, you can now use equal signs where double colons were required. In prior releases, search field syntax required a double colon but extracted field syntax required an equal sign. For example, host::splunker was used for the host search field and myfield=value was used for the extracted field myfield. Now, you can use equal signs when performing searches in both search and extracted fields.

• For example: key::value pairs are expressed as field="value" or field=value.
• When searching literally for a key=value pair, you must place quotes around the literal expression of the key value pair.

"key=value" | top

• A bug with time-based search modifiers in saved searches occurs because of the implementation of the search language simplification. See the 3.1 Known Issues page under "search and navigation" for details.

Archiving

With the introduction of enhanced archiving and the export command, you can now archive your Splunk data based on time and size, critical for large and long-term data storage issues common with compliance mandates. This data can be easily resurrected back into Splunk for historical searches, and you can now export data simply and easily to put Splunk-gathered data anywhere. See the 3.1 changelog for links to the new commands and features.

Upgrading 2.1.x or 2.2.x to 3.1.x

Note: Do not attempt to migrate to 3.1.x or higher from 2.0.x. You must first upgrade and migrate your data to 2.2.3 format. Read the 2.0.x to 2.2.x migration instructions. You will also have to migrate from 3.x to 3.1 after migrating from 2.x.

Step 1: Administrative preparation

Obtain your new license(s)

Splunk 3.1 requires an entirely new form of license key (same as 3.x). If you are a Splunk Professional customer (from 2.x), you must obtain a new Enterprise license (Professional is now known as Enterprise) even if your 2.x license has not expired. New licenses can be obtained through customer support or via your store account. If you have a current Enterprise support agreement, it is likely that customer support has already re-issued your license and attached it to your store account. Just log into www.splunk.com, and go to store -> my orders to view all of your licenses. Please contact support if this is not the case.

If you are using a Free license then there will be no need to install a 3.x license. The default 3.x Free license will be installed automatically if no license is detected on startup.

Back up your old instance(s)

Please backup your 2.x instances before attempting to update them to 3.x or higher. At a minimum make sure the $SPLUNK_HOME/etc and $SPLUNK_HOME/var directories in all your instances are backed up to a separate location before proceeding. If you have Splunk instances in production we recommended piloting the update in a staging environment before attempting it in production. It is possible to recover a corrupt instance or one in an indeterminate state but you will require assistance from customer support to do so.

Plan your update

Please read through both the upgrade overview and this entire page before attempting your first update. The update process involves overlaying Splunk 3.x over your 2.x instance (then a simple upgrade to 3.1.x). If you're using packages native to your platform you'll use their update mechanisms. If you have a tar installation you'll simply extract 3.x over your 2.x instance after backing up your configuration. In either case you'll update your database to function with 3.x and move your configuration back in place after the 3.x package is in place. The time required to complete the update depends on the complexity of your configuration, not the size of your database(s).

Have questions?

Please do not hesitate to contact support if you have questions or experience problems updating to 3.x.

Step 2: Install a 3.x package and update your database

NOTE: If you have a Splunk Enterprise license (formerly known as Splunk Professional) be sure you have obtained a new 3.x license before proceeding.

This process requires the installed configuration to be moved out of the way and then be restored after installation and database migration. Until configuration is restored the default ports will be used. Those ports are 8000 and 8089. It would be best to ensure there are no conflicts on ports 8000 and 8089 before executing the data migration step. Note that Splunk 3.x only listens on one HTTP port and one management port, unlike 2.x which listened on one HTTP port, one HTTPS port, and one management port. That is why only 8000 and 8089 are important for this step. The HTTP port can be configured to be HTTPS (see Step 3).

To install Splunk 3.x over 2.1.x or 2.2.x and fashion the 2.1x or 2.2.x database for use in 3.x:

1. Stop the 2.1.x or 2.2.x Splunk server.
2. Event types and tags will be lost when the database is migrated. If you wish to preserve your tags execute $SPLUNK_HOME/bin/splunk export globaldata before proceeding. (Note: Splunk must be running to execute this command.) Host tags and sourcetype aliases can be recovered with a procedure outlined below. We will release a procedure to convert event types at a later time.
3. Move $SPLUNK_HOME/etc to $SPLUNK_HOME/etc.bak. Directory must be named etc.bak. The native packages will move the configuration to $SPLUNK_HOME/etc.bak automatically.
4. Ensure your database, by default everything in $SPLUNK_HOME/var/lib, has been backed up to a location outside of $SPLUNK_HOME. The native packages will not do this automatically.
5. Update the native package or overlay the 3.x tar over the 2.x installation.
6. If you are upgrading from version 2.2.x or higher and are not using LDAP and wish to migrate your user accounts, copy $SPLUNK_HOME/etc.bak/auth/splunk.secret to $SPLUNK_HOME/etc/auth. Copy $SPLUNK_HOME/etc.bak/passwd to $SPLUNK_HOME/etc. Your 2.x accounts should then work as normal in 3.x..
7. If you are upgrading from version 2.1.x, and are not using LDAP, you will not already have the passwd file; the users are still stored in the authentication database. Follow these instructions to run the provided script to pull your users into a passwd file for you to use:
   1. Download the migrate_users.py.gz file
   2. Uncompress the migrate_users.py script to the Splunk 2.2 machine's $SPLUNK_HOME directory.
   3. Source $SPLUNK_HOME/bin/setSplunkEnv into your shell's environment.
   4. Execute python migrate_users.py $SPLUNK_HOME.
8. If using tar archives, reset the SPLUNK_HOME value in $SPLUNK_HOME/bin/setSplunkEnv to the correct value.
9. If you moved your datastore from the default $SPLUNK_HOME/var/lib/splunk location, edit the SPLUNK_DB value in $SPLUNK_HOME/bin/setSplunkEnv to the correct path.
10. If you have Splunk Professional 2.2.x or 2.1.x , copy a 3.x Enterprise license into $SPLUNK_HOME/etc.
11. Source $SPLUNK_HOME/bin/setSplunkEnv into your shell. (If you are already in the directory, the command is "source setSplunkEnv".)
12. Important! The following step will start and restart your instance. Absent configuration Splunk 3.x will attempt to bind to its default ports, 8000 and 8089. If you or your environment cannot tolerate this, please skip to the "Port information in search.user.xml and splunkd.xml" section below and migrate your port configuration before proceeding. It is enough to have your port information in $SPLUNK_HOME/etc/bundles/local/web.conf in place. Do not start Splunk to confirm your configuration before proceeding to the next step as you haven't migrated your database.
13. Execute python $SPLUNK_HOME/bin/migrate_2x_data_to_3x.py. This will migrate the data, start, and restart Splunk. This is necessary for Splunk to correctly re-scan the database files. This is a one way process. Tags will be lost (see above for tag preservation information).
14. Splunk 3.x is now active but your configuration is empty. No inputs will be active until step 3 is completed. If your instance consumes live inputs that cannot tolerate downtime, make provisions to redirect those inputs to a file for later consumption. Configuration in $SPLUNK_HOME/etc.bak is ready for migration. Note that certain elements of the UI may appear corrupt or incorrect immediately after migration. It is necessary to clear your browser's cache after the update to remedy this.

Step 3: Update and restore your configuration files

Most configuration options previously controlled by XML files have now been moved to configuration files. This change makes it easier to
administer a Splunk server and easier to deploy configuration changes to other Splunk servers via bundles and the Splunk deployment server.

The purpose of this section is to provide a map between 2.x and 3.x configuration. It is not to provide exhaustive documentation of all
3.x configuration. Please review the 3.x administration guide for full details of how 3.x works and 3.x administration.

The process of updating and restoring your configuration involves moving some configuration information out of XML files and into bundle
files and updating your bundle files to work with 3.x. You'll need to migrate configuration parameters from $SPLUNK_HOME/etc.bak to $SPLUNK_HOME/etc.

At a high level the necessary configuration changes are:

• Port information in a 2.x $SPLUNK_HOME/etc/myinstall/search.user.xml needs to be moved to 3.x $SPLUNK_HOME/etc/bundles/local/web.conf. This file has moved from XML to Splunk bundle format.
• All configuration in a 2.x $SPLUNK_HOME/etc/myinstall/pluginConfs/multiIndexer.xml needs to be moved to 3.x $SPLUNK_HOME/etc/bundles/local/indexes.conf. This file has moved from XML to Splunk bundle format.
• If your 2.x instance is a lightweight forwarder then it's best to just set that configuration via the 3.x Splunk Web interface or CLI. In 3.x configuration of a forwarder with local indexing disabled automatically configures Splunk in a minimal mode.
• The 2.x bundle file regexes.conf is called transforms.conf in 3.x and the 3.x bundle file props.conf now requires the attribute prefix REGEXES- to be changed to TRANSFORMS-.
• The 2.x bundle files savedsplunks.conf and livesplunks.conf have been combined into the 3.x bundle file savedsearches.conf.
• The 2.x bunde file auth.conf is a subset of configuration available in the 3.x bundle file auth.conf. A new required parameter must be added to your 2.x configuration. (pageSize = 0)
• The 2.x XML file $SPLUNK_HOME/etc/myinstall/pluginConfs/cleaners.xml is now easier to administrate in the 3.x bundle file segmenters.conf.

XML Configuration Updates

Port information in search.user.xml and splunkd.xml

By default Splunk 2.x opened three ports. An HTTP port, and HTTPs port, and a management port. Splunk 3.x only opens two ports. A web port and a management port. The web port can be configured to be either HTTP or HTTPS. The default 3.x configuration can be observed at $SPLUNK_HOME/etc/bundles/default/web.conf. Documentation and an example of the 3.x web.conf file can be found at $SPLUNK_HOME/etc/bundles/README/web.conf.[spec|example] or here.

To migrate your settings from 2.x to 3.x it should just be a matter of configuring the same ports used in the 2.x search.user.xml file in an override 3.x stanza in $SPLUNK_HOME/etc/bundles/local/web.conf. If you're using SSL and are also using your own certificates then you'll want to place those certificates from your 2.x instance in the location where the default 3.x web.conf file expects them, or override those configuration parameters in your local web.conf file as well.

Multiple indexes in 3.x

In 2.x all indexes were specified in $SPLUNK_HOME/etc/myinstall/pluginConfs/multiIndexer.xml. This file has been converted into a bundle in 3.x. In 3.x the set of default indexes are configured in $SPLUNK_HOME/etc/bundles/default/indexes.conf. Additional custom indexes may be added in $SPLUNK_HOME/etc/bundles/local/indexes.conf. Be sure to place the 3.x configuration information after migrating your database. If you don't also configure your custom indexes in Splunk 3.x then you won't see them. It should be readily apparent how the parameters in the 2.x XML file maps to the 3.x bundle file. Be aware that the index dropdown in 2.x is not present in 3.x. Search in your custom indexes with the index::yourcustomindexname search operator.

Documentation and an example of the 3.x indexes.conf file can be found at $SPLUNK_HOME/etc/bundles/README/indexes.conf.[spec|example] or here.

Bundle Configuration Updates

2.x regexes.conf is now 3.x transforms.conf

The file regexes.conf is ignored in 3.x. The file was renamed and extended to better serve its purpose - transforming data inputs and events based on requirements to modify and extend Splunk's automated processing. Like regexes.conf, transforms.conf is referenced by props.conf and may contain regular expressions to extract the target of the transformation. The format and actions of the individual attributes within the file has not changed. Rename your regexes.conf to transforms.conf. Then modify props.conf to refer to the transform.

Change regexes to transforms

Props.conf used to refer to regexes in the regexes.conf file. Now it refers to transforms in the transforms.conf file. In addition, the attribute prefix in props.conf has changed from REGEXES- to TRANSFORMS-. See the 3.x admin manual reference pages on props.conf and transforms.conf for full details.

An example of Splunk 2.x to Splunk 3.x regex to transforms changes:

In props.conf change from the following 2.x style:

[cisco_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REGEXES = syslog-host
...

to the following 3.x props.conf style:

[cisco_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TRANSFORMS = syslog-host
...

A stanza in a 3.x transforms.conf looks like stanzas in 2.x regexes.conf:

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]+)\]?\s
FORMAT = host::$1

Note that if you are using a regexes.conf stanza in 2.x in order to extract fields at search time for use with the report:: search modifier, you will want to read about how to define extracted fields in 3.x as well as read about the new search language which has many powerful native statistical and structured search commands including select, where, fields, stats, top and rare which have replaced and improved upon the 2.x report:: search modifier.

2.x savedsplunks.conf and livesplunks.conf is now 3.x savedsearches.conf

The 2.x savedsplunks.conf and livesplunks.conf files have been combined into one overall savedsearches.conf file. In 3.x you can add scheduling and alert information directly to the saved search. The old live splunk subsystem in 2.x has been completely replaced with the new scheduling and alerting subsystem in 3.x.

The name/value pairs in savedsplunks.conf should map directly to savedsearches.conf with one exception. Use just the raw search string in 3.x, not the entire XML value of the query parameter in 2.x. Be sure a user exists in the 3.x instance with the same userid you're bringing over from 2.x.

The name/value pairs from livesplunks.conf will not map cleanly into savedsearches.conf. You do not need to bring over the savedsplunkid parameter as alert information is now stored directly with the saved search. The next change is that the 3.x saved searches.conf file uses a cron-like scheduling parameter in replacement of several run and range parameters in livesplunks.conf. It should be readily apparent how to map the relation and action configuration if one compares your livesplunks.conf stanza to the 3.x spec and example files. ($SPLUNK_HOME/etc/bundles/README/savedsearches.conf.[spec|example])

Special note about saved report:: searches

The only search syntax element that is not backwards compatible between 3.x and prior versions is report::. If you have saved searches that use report::, you should update them to take advantage of the new search language which has many powerful native statistical and structured search commands including select, where, fields, stats, top and rare which have replaced and improved upon the 2.x report:: search modifier. These new commands are both more flexible and faster than the old report:: modifier.

2.x auth.conf in LDAP mode to 3.x auth.conf in LDAP mode

If you're using LDAP authentication in 2.x then you can copy your auth.conf file into 3.x and use it if you make the following changes:

• Add name/value pairs userBaseFilter and groupBaseFilter. If you're unsure how to use LDAP filters you may safely supply the value '(objectclass=*)' without the quotes for these parameters. This filter will match every entry below your specified base DNs. Restrict the filter if you do not want this.

• Add the name/value pair pageSize. A pageSize of 0 means to use LDAPv2. A nonzero page size will use LDAPv3 with an additional control for paging. A nonzero page size is necessary if your using Microsoft Active Directory.

2.x cleaners.xml is now 3.x segmenters.conf

If you've modified your segmenters in your 2.x instance you should add them to your local segmenters.conf file. $SPLUNK_HOME/etc/bundles/local/segmenters.conf. See $SPLUNK_HOME/etc/bundles/README/segmenters.conf.[spec|example] for detailed information.

Data Inputs

In general nearly all data input parameters should map cleanly from 2.x to 3.x with the exception of the regexes/transforms transition described above. If you have a concern about a particular parameter you should browse $SPLUNK_HOME/etc/bundles/README for the parameter in question and see if it's usage has changed from 2.x to 3.x. If something about the data input configuration gets lost in translation there should be clear error messages in splunkd.log. Be aware that 3.x is capable of eating archive files directly without needing them to be uncompressed first.

Other Configuration Updates

Splunk Users

The procedure for migrating non-LDAP users is covered in Step 2. The procedure for migrating LDAP configuration is covered in Step 3. Select the method that is appropriate for you.

Lightweight Forwarders

Splunk 2.x required extensive configuration changes to run in a minimal mode for a forwarding-only instance. In Splunk 3.x this configuration is done for you automatically if you enable forwarding and disable local indexing in the GUI. Splunk should only consume about 100 MB RAM in the 3.x configuration, usually less. It is possible for 2.x forwarders to forward to a 3.x instance.

Custom C++ Processors

If your 2.x instance contains a custom C++ module, that module should work with 3.x. Be aware, however, that Splunk 3.x ships with fewer shared objects than Splunk 2.x. In particular, libstdc++ is no longer included with the distribution. If you use your platform's libstdc++ and other libraries, your module should work.

Distributed Search

It is easiest to simply re-configure your 2.x distributed search hosts via Splunk Web in 3.x. Be aware that it is not possible to mix 2.x and 3.x servers in a distributed search cluster. Enhancements to the search language in the 3.x product prevent this from working. Note that the "Splunk-2-Splunk" tab in the 2.x admin section has been renamed "Distributed" in the 3.x admin section.

Host tags and source type aliases

If in Step 2 you exported your global data to an XML file you can convert and re-import the host tag and sourcetype aliases into your Splunk 3.x instance. With $SPLUNK_HOME/bin/setSplunkEnv sourced from a 3.x instance, execute

python $SPLUNK_HOME/bin/migrate_2x_exported_data_to_3x.py $YOUREXPORTEDFILENAME
splunk import globaldata $YOUREXPORTEDFILENAME.readyfor30import -auth admin:$YOURPASSWORD

To confirm the procedure you should be able to see your host tags in type ahead and also see the correct data exported with a splunk export globaldata command.

Upgrading from Splunk versions 3.0.x through 3.1.x to Splunk versions 3.1.x through 3.1.5

If you are upgrading from a Splunk version in the range of 3.0.x through 3.1.x to any version in the range 3.1.x through 3.1.3, you must back up your $SPLUNK_HOME/etc/* directories manually. These instructions explain how to do this.

Note: By convention, this document uses $SPLUNK_HOME to refer to the location of your Splunk install.

For rpm, pkg, and deb upgrades

1. Create a backup of your /etc directories:
   • cp -a $SPLUNK_HOME/etc/ $SPLUNK_HOME/etc.bak
2. Upgrade Splunk using rpm -U on the Splunk rpm or pkg file.
3. Restore your configuration to the upgraded installation by copying your backed up /etc directories and files. Copy the following directories and files as indicated:
   • $SPLUNK_HOME/etc.bak/auth/* to $SPLUNK_HOME/etc/auth/
   • $SPLUNK_HOME/etc.bak/passwd to $SPLUNK_HOME/etc/
   • $SPLUNK_HOME/etc.bak/bundles/local/* to $SPLUNK_HOME/etc/local/
   • $SPLUNK_HOME/etc.bak/splunk.license to $SPLUNK_HOME/etc/splunk.license
   • For any bundles directories you have created in your existing installation, copy:
     • $SPLUNK_HOME/etc.bak/bundles/<your bundles>/ to $SPLUNK_HOME/etc/

IMPORTANT: Copy these files and directories individually. Do not copy the entire $SPLUNK_HOME/etc.bak directory back to /etc. If you do so, the version number and other information will be incorrect.

Contact support with any questions.

For tar upgrades

1. Create a back up of your /etc directories.

cp -a $SPLUNK_HOME/etc/ $SPLUNK_HOME/etc.bak

Help

Getting Help

Accessing help in SplunkWeb

SplunkWeb has a button labeled Help in its upper right corner. Click this button to pop up a set of help pages.

Accessing help in the command line (CLI)

From the command line on your Splunk Server host, type this command.

/opt/splunk/bin/splunk help 

How can I learn more about Splunk's advanced features?

The best way to explore advanced features is to take the tutorial

You can also explore the command line interface using its inline help. Type $SPLUNK_HOME/bin/splunk help to get started.

I lost my Splunk.com password. What do I do?

Use the recover password feature of the site to have your username and/or password emailed to the address on record.

How do I report problems?

Submit your issue with on our online case submission form or email us at support@splunk.com.

How can I make suggestions?

You can always send an email to our support team at support@splunk.com. Also check out our Live Roadmap where you can vote on upcoming features.

I have some questions that aren't answered here. Where can I get help?

Start with our Documentation.

For help from experienced Splunkers, come to our Forums.

For help -- yes, it's free! -- from the Splunk Support team, submit an online support case (you must be a registered user and log in to use this service). You can also use our IRC support channel. The channel name is #splunk on the EFnet IRC (irc.efnet.org) network.

Splunk customers with an enterprise license get additional premium support options. For full information on our support offerings click here.

Installer options

Reference

File Manifest

A complete inventory of the files and permissions that ship with your Splunk installation can be found in the root directory. For reference the manifest for each platform is available here:

• MacOS X / Intel
• MacOS X / PPC
• FreeBSD x86
• FreeBSD x86_64
• Linux / x86
• Linux / x86_64
• Solaris / x86_64
• Solaris / SPARC
• Solaris / x86

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w
nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF
2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7
pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn
OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq
Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/
J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR
5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP
qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh
Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID
FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha
pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm
6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU
HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT
iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg
jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7
SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+
EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd
qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG
3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96
4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK
iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77
kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9
ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng
p4s=
=Mz6T
-----END PGP PUBLIC KEY BLOCK-----

Installing the key

Copy and paste the key into a file. Install the key using:

rpm --import <filename>