This document last updated: 12/01/08 03:12pm

Print Installation Manual

Read This First

System requirements

Before you download and install the Splunk software, read the following sections for the supported system requirements. If you have ideas or requests for new features to add to future releases, email Splunk Support. Also, you can follow our Product Roadmap.

Check the release notes for details on known and resolved issues, and refer to the download page for the latest version to download.

Caution: Splunk does not provide a direct upgrade path to version 3.2.x from versions earlier than 3.0. You cannot upgrade directly from 2.x to 3.2. If you are upgrading from an earlier version of Splunk, refer to the upgrade and migration instructions for upgrading to 3.0 and upgrade to 3.0 or 3.1 before proceeding.

Host operating system

Linux 2.6+ kernel Linux distributions (x86 and x86_64) and major 2.4+ kernel Linux distributions with NPTL (x86)
Solaris 8, 9 & 10 / Sparc
Solaris 9 & 10 / x86
Mac OS X 10.4+ / x86 and PPC
FreeBSD 6.1 (6.2 for 64-bit versions) or later
AIX 5.2 and 5.3
- AIX 5.4 has not yet been tested by Splunk. If you want to give it a try, please install it on a test server and send us feedback.
Windows 2000 Server (32-bit)
Windows XP Professional (32-bit)
Windows 2003 Server (32-bit)

Note: Splunk is certified to to run on English versions of Windows only. Non-English operating systems are not supported.
Note: Windows registry monitoring is not supported on Windows 2000 due to an issue with a Windows 2000 DLL.

Client operating system / browser (for access to Splunk Web)

AIX, BSD and Linux: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
Mac OS X: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
Windows: Internet Explorer 6 or 7 or Firefox 1.5 or 2.0; Adobe Flash 9 or higher

You can verify your installed version of Flash here

Hardware capacity requirements

Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment; this hardware should meet or exceed the recommended hardware capacity specifications below.

Important: For all installations, a minimum of 2GB hard disk space is required, including forwarders.
Note: Running Splunk in virtual machine (VM) mode on any platform will degrade performance.

Recommended hardware capacity

Non-Windows platforms:
2x3.4 GHz CPU, 4 GB RAM
Windows platforms:
Multi-core Xeon or equivalent at 3Ghz, 4GB RAM

Minimum supported hardware capacity

Use the minimum supported hardware guidelines for personal use of Splunk. We recommend you use the Splunk desktop application/configuration when using Splunk on desktops or laptops.
Important: These are the minimum requirements for Splunk and apply to all configurations, including indexer and lightweight forwarder instances.

Non-Windows platforms:
1x1.4 GHz CPU, 1 GB RAM
Windows platforms:
Pentium 4 or equivalent at 2Ghz, 2GB RAM

Supported server hardware architectures

32 and 64-bit architectures are supported for some platforms. Splunk is supported on 32-bit Windows platforms only. See the download page page for details.

Supported file systems

Linux - ext2/3, reiser3, XFS
Solaris - UFS, ZFS, VXFS
FreeBSD - FFS, UFS
Mac - HFS
AIX - JFS, JFS2, NFS 3/4
Windows - NTFS, FAT32

Note: Most other file systems are supported. If you run Splunk on a filesystem that is not listed above, Splunk may run a startup utility named locktest. Locktest is a program that tests the start up process. If locktest runs and fails, the filesystem is not suitable for running Splunk.

Note: On FreeBSD, mounting as nullfs is not supported.

Storage and performance notes

For some tools for estimating your index size, refer to this topic on the Splunk Wiki.
For more information on ways to reduce your index density, click here

Step by Step Installation

Step 1: Unpack the software

If you're installing on Windows, go here for Windows-specific installation instructions.

Some platform-specific installers come in both a package form and a tarball. The Linux build comes in three forms: RPM, deb and tarball. The FreeBSD installer and tarball are both .tgz files. 5.4-intel is the installer, i386 is the tarball. The AIX install comes in tarball form only. We plan to release a native install package in a later release.

Follow the instructions for your specific package or tarball.

Note: If you are using any type of package manager, you must install as root. You do not have to install as root if you are using the tarball installation.

Tarball

Note:If you are installing using the tarball, Splunk does not create the Splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.

Unpack the tarball into an appropriate directory. Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
If you have a Splunk enterprise license, replace ./etc/splunk.license with your license.
Start the server with the command ./bin/splunk start and follow the instructions.
To configure Splunk to start at boot time, use the ./splunk enable boot-start command. For more information, refer to Configuring Splunk to Start at System Startup.
Open http://<hostname>:8000 in a browser. Your hostname and port may vary.

For AIX 5.3, make sure you are up to date on your service packs. Splunk requires the following service level:

$ oslevel -r
5300-05
$

RPM

Basic install:

rpm -i splunk-2.1-0.i386.rpm

If you like, you can change the default installation directory /opt/splunk:

rpm -i --prefix=/opt/splunk2.1/splunk  splunk-2.1-0.i386.rpm

If you would like to verify the rpm package signature, you can find our PGP public key here.

deb

Basic install:

dpkg -i splunk-2.1-linux-2.6-intel.deb

You can only install the Splunk deb package in the default location, /opt/splunk.

Uninstall:

dpkg -r splunk

Purge (delete everything, even config files):

dpkg -P splunk

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

FreeBSD

Basic install:

pkg_add splunk-2.1-freebsd-5.4-intel.tgz

If you like, you can change the default installation directory /opt/splunk:

pkg_add -v -p /usr/splunk splunk-2.1-freebsd-5.4-intel.tgz

Uninstall:

pkg_delete splunk

Uninstall from a non-default directory:

pkg_delete -p /usr/splunk splunk

Splunk package info:

pkg_info -L splunk

List all packages:

pkg_info

Other modifications for BSD

You need this in /boot/loader.conf:

kern.maxdsiz=\"2147483648\" # 2GB
kern.dfldsiz=\"2147483648\" # 2GB

You need this in /etc/sysctl.conf:

vm.max_proc_mmap=2147483647
machdep.hlt_cpus=0

Mac OS

Basic install:

Double-click on splunk.pkg

If you like, you can install Splunk somewhere other than the default installation directory, /Applications/splunk:

When the installer gets to the Select Destination dialog, click Choose... to select a directory other than /Applications

Command-line install:

Mount the dmg:

hdid splunk_package_name.dmg

Install on the root volume:

installer -pkg splunk.pkg -target /

Command-line install to a different disk or partition:

installer -pkg splunk.pkg -target /Volumes/LaCie\ Disk

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk .
To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

Solaris

Basic install:

pkgadd -d splunk.pkg

If you like, you can install Splunk somewhere other than the default installation directory /opt/splunk:

pkgadd -a none -d splunk.pkg

And then specify the new package base directory when prompted.

Uninstall:

pkgrm splunk

Splunk package info:

pkginfo -l splunk

List all packages:

pkginfo

Step 2: Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

Start Splunk on non-Windows platforms

Splunk's command line interface is located in $SPLUNK_HOME/bin/. Navigate to this location and run the following command:

# ./splunk start

Use whatever path you installed under.

Start Splunk on Windows platforms

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

Server daemon: splunkd
Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing
# splunk.exe [start|stop|restart]

Startup options

The first time you start Splunk after a new installation, you are presented with the license agreement and asked to accept the license. You can specify a number of different flags to affect

If you want to bypass these steps, you can start Splunk and accept the license in one step:

 $SPLUNK_HOME start --accept-license

Where $SPLUNK_HOME is where you installed Splunk.

Note: There are two dashes before the accept-license option.

Important: If this is an upgrade to 3.2 or later, you can preview the changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

Access Splunk Web at
http://mysplunkhost:8000
Replace mysplunkhost:8000 with the host and port you specified during the installation.
Use username "admin" and password "changeme" to login to your new Splunk installation for the first time.

Set up one or more data inputs

The first time you browse a new installation, you will see a Guided Setup tool that helps you set up data inputs, licenses, and other configuration options. Alternately, you can configure data inputs from the command line. Below is a typical example.

/opt/splunk/bin/splunk add tail /var/log

Your Splunk Server should show indexed data on its home page immediately after you add a data input. As soon as you see a number greater than "0 events" listed on the server's home page, you're ready to start Splunking!

Step 3: Install or update your license

If you are performing a new installation of Splunk or switching from one license type to another (for example from Free to Enterprise), you must update your license. You can update your license using the CLI or Splunk Web.

If you are installing a new Splunk enterprise license for the first time, you will need to log in with the default administrator account: username admin and password changeme.
Your license is in the email that you received from splunk.com after you signed up for a free trial or purchased Enterprise Splunk.
You must have a separate license for every instance of Enterprise Splunk that you deploy.

Note: These instructions are for Splunk 3.0 and later, for earlier versions, see 2.2.3 instructions.

Via Splunk Web

1. Open the email Splunk sent you containing your license.

2. Select the license text with your mouse and copy it.

3. Start Splunk.

4. Launch a supported browser and go to the URL Splunk displayed in a text file when you started it.
The URL looks like http://<//servername//>:8000. Use the server name and port you specified (port 8000 is the default value).

5. In Splunk Web, click the Admin link in the upper right hand corner.

6. Click Admin -> License & Usage and then click Change license.

7. Paste your new license into the text box and click Save.

8. From the Admin -> Server -> Control tab, restart the Splunk Server.

Via the command line

1. Navigate to the splunk.license file, located in the ./etc/ directory of the Splunk home directory (referred to as $SPLUNK_HOME in this documentation).

2. Copy your new or previous license key file into ./etc/splunk.license beneath your Splunk home directory.

cp -p splunk.license $SPLUNK_HOME/etc/

3. When you've copied the license file, start or restart the Splunk Server.

/$SPLUNK_HOME/bin/splunk restart

Windows installation

This topic provides detailed instructions for installing Splunk on Windows. If you're installing Splunk on another platform, go here.

Splunk is installed by default into \Program Files\Splunk.

Important: Currently, you can only install the Splunk Windows version as the user you are currently logged in as. This user must be a member of local administrator group.

Before you begin, confirm that the machine you're planning to use satisfies the minimum system requirements. Then:

1. Go to the download page at www.splunk.com and download the latest build of the Windows port.

2. When you have the splunk.msi file, double-click it to start the installer.

The Welcome panel is displayed.

3. Click Next to begin the installation.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

4. Read the licensing agreement, select "I accept the terms in the license agreement", and click Next to continue installing.

The Customer information panel is displayed.

5. Enter the requested details and click Next.

The Destination folder panel is displayed.

6. Click Change.. to specify a different location to install Splunk, or click Next to accept the default value.

The Logon information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk as the local system user, or as a user with additional credentials.

Note: If you install as the local system user, some network resources may not be available to the Splunk application. Contact your systems administrator for advice if you are unsure what user to specify.

7. Select a user type and click Next.

Important: Currently, you can only install the Splunk Windows port as the user you are currently logged in as. This will be resolved in a near-term maintenance release.

If you specified the local system user, proceed to step 9. Otherwise, the Logon information: specify a username and password panel is displayed.

8. Specify a username and password for Splunk to be installed and run as and click Next.

To create a new user for Splunk to use, click New User Information... and specify details.
To use an existing user, enter, or browse for the username and domain details.

The pre-installation summary panel is displayed.

9. Click Install to proceed.

The installer runs and displays the Installation complete panel.

10. Check the boxes to run Splunk and Splunk Web now, and to select which Windows event logs you would like Splunk to index right away, and then click Finish.

Get started with the Splunk Windows port

The installer creates an icon on your desktop and also adds items to the Windows Start menu. You can use these, the command line interface, or the Windows Service Manager to start, stop, and restart Splunk.

Note: If you chose not to index one or more of the Windows event logs by unchecking the box(es) at the end of the installation process, and want to begin indexing later, edit $SPLUNK_HOME/etc/bundles/local/inputs.conf as described in Configure inputs via inputs.conf.

Important: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf.

Install your Splunk license

Refer to the instructions for installing your license to install or update your Splunk license.

Install Splunk Toolbar

Install Splunk toolbar for Firefox

Splunk toolbar for Firefox is available from the following locations:

Splunk.com toolbar download page
In the following Splunk server directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install from download page

1. On the toolbar download page, click the link for the Firefox toolbar.
You'll see a warning message, stating that Firefox prevented this site from asking you to install software. This is expected behavior.

2. Click Edit Options....

3. In the Allowed Sites dialog, click Allow.

www.splunk.com is listed as a trusted site.

4. Close the dialog box.
Firefox asks you whether you want to install the toolbar.

5. Click Install Now.

If the following dialog box is not displayed, refresh the browser page.

6. Click Restart Firefox to complete installation.
The toolbar is installed and visible below Firefox's address bar, and also in the Firefox Tools > Add-ons menu.

Install from Splunk server

1. In Firefox, click File > Open File....

2. Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/splunktoolbar.xpi .
Firefox asks you whether you want to install the toolbar.

3. Click Install Now.

4. Restart Firefox.
The toolbar is installed and visible below Firefox's address bar, and also in the Firefox Tools > Add-ons menu.

Uninstall Splunk Toolbar

1. Start Firefox.

2. In Firefox, click Tools > Add-ons.
The Splunk Toolbar is one of the items listed.

3. Select it and click Uninstall.

4. Follow the prompts and restart Firefox.

The toolbar is removed from Firefox. You can verify by checking Tools > Add-ons.

Install Splunk toolbar for Internet Explorer (beta)

Note: This software is currently in beta. If you encounter any problems running the software or have any comments on its functionality, contact our support team.

The Splunk toolbar is available from the following locations:

Splunk.com toolbar download page.
In the following Splunk directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/ .

Install from download page

1. On the toolbar download page, click the link for the Internet Explorer toolbar.
If you are using Internet Explorer, you might see a warning message stating that Internet Explorer blocked this site from downloading files. This is expected behavior.

2. Click on the information bar at the top of the page

3. In the drop-down menu, click Download File....

4. Internet Explorer asks you whether you want to save or open the file. Click Run.

5. On the Security warning window, Click Run

6. You may see a warning that you need to install the .NET Framework. Click Yes to continue the .NET installation.
You can also visit the Microsoft .NET site to complete the installation. If you don't see this message, continue to the next step.

7. After installing the .Net framework return to Step 1 and run the toolbar installer again. You shouldn't see the warning message anymore.

8. The toolbar installation wizard is launched. Follow the instructions of the wizard:

The Splunk toolbar is now visible below Internet Explorer's address bar, and also in the View > Toolbars menu

Install from Internet Explorer

1. From Internet Explorer, select File > Open File....

2. Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/SplunkIEToolbarSetup.msi .

3. Internet Explorer asks you whether you want to download the file. Follow the instructions above to install the toolbar.
The Splunk Toolbar is now visible below Internet Explorer's address bar, and also in the View > Toolbars menu.

Uninstall Internet Explorer toolbar

1. From the Start menu, choose Control Panel > Add or Remove programs.

2. From the list of currently installed programs, select Splunk toolbar for Internet Explorer.

3. Follow the prompts.
The toolbar is removed from Internet Explorer. You can verify by checking Internet Explorer's View > Toolbars menu.

Advanced Installation Topics

Configure Splunk before startup

This topic discusses optional configurations you may want to include in your Splunk work environment.

Note: (If you have administrator or root privileges) To save a lot of typing, add the top level directory of your Splunk installation to your shell path. The $SPLUNK_HOME variable refers to the top level directory. Set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

The full path to the Splunk executable is provided in these instructions regardless.

To start at boot time

Splunk provides a utility that updates your system boot configuration so that Splunk starts when the system boots up. This utility creates a suitable init script (or makes a similar configuration change, depending on your OS).

As root, run:

$SPLUNK_HOME/bin/splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run:

$SPLUNK_HOME/bin/splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run:

$SPLUNK_HOME/bin/splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

To bind to an IP

In Splunk 2.1 and all later versions, you can force Splunk to bind its ports to a specified IP address. To make this a temporary change, set the environment variable SPLUNK_BINDIP=<ipaddress> before starting Splunk.

If you want this to be a permanent change in your working environment, modify $SPLUNK_HOME/etc/splunk-launch.conf to include the SPLUNK_BINDIP attribute and <ipaddress> value. For example, to bind Splunk ports to 127.0.0.1, splunk-launch.conf should read:

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory this configuration
# file was found in
#
# SPLUNK_HOME=/opt/splunk

SPLUNK_BINDIP=127.0.0.1

This will affect the binding address of all ports opened by splunk and splunkweb, including the http server, and network inputs.

Note: You can also use splunk-launch.conf to define $SPLUNK_HOME and $SPLUNK_DB.

Run Splunk as non-root user

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:

Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).

Note: Splunk will not accept syslog data over port 514 (the default listening port for UDP). This does not mean that Splunk cannot listen on UDP 514; you can add UDP 514 as a data input.

Instructions

To run Splunk as a non-root user, you need to first install Splunk as root. Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user, splunk.

1. Create the user and group, splunk.
For Linux, Solaris, and FreeBSD:

useradd splunk
groupadd splunk

For Mac OS:
You can use the System Preferences > Accounts panel to add users and groups.

2. As root and using one of the packages (not a tarball), run the installation.
Important: Do not start Splunk yet.

3. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user.

chown -R splunk $SPLUNK_HOME/

Note: $SPLUNK_HOME refers to installation directory of Splunk.

4. Start Splunk.

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk as the splunk user while you are logged in as a different user, you can use the sudo command:

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

This example command assumes:

If Splunk is installed in an alternate location, update the path in the command accordingly.
Your system may not have sudo installed. If this is the case, you can use su.
If you are installing using a tarball and want Splunk to run as a particular user (such as splunk), you must create that user manually.
The splunk user will need access tp /dev/urandom to generate the certs for the product.

Solaris 10 privileges

When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk

Configure SELinux

If you have SELinux active on your system, you must add Splunk to the list of authenticated applications that can run in your SELinux environment.

To configure SELinux to allow Splunk to run, you need to run the
chcon command on the Splunk lib directory. Here is what you type :

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null

You must also disable the check when Splunk starts by adding this line
to $SPLUNK_HOME/etc/splunk-launch.conf.

SPLUNK_IGNORE_SELINUX=1

License management

All Splunk servers require a license; Splunk provides two types of licenses, a Free license and an Enterprise license. Splunk ships with a Free license.

The first time you download Splunk, you are asked to register. Your registration authorizes you to receive the Free license, which allows a maximum indexing volume of 500 MB/day. The Free license is not a trial license and does not expire.

The Enterprise license enables higher data indexing volume and the following additional features:

Multiple user accounts and access controls.
Distributed search and data routing.
Deployment management.

To evaluate Enterprise features before purchasing, you can request a 30-day trial Enterprise license.

Important: You cannot use the same Enterprise license on multiple servers. Each instance of Splunk (including forwarders) must have its own unique license, whether a Free license or an Enterprise license. The only exception to this is the 1 MB/day forward-only license that can be installed on multiple forwarding instances. For more information, read About Splunk licenses.

Access your license

All Splunk servers have a license located in $SPLUNK_HOME/etc/, whether it is a Free license (splunk-free.license) or an Enterprise license (splunk.license).

Example of a Splunk license

user@company.com;EQ/GQXW/J7u9VLJShPsW4m8yi+5a+geRrof4Bep70j32xsBpq
JItM5pdntRfl4auply366BAjTMnfTB6JyzJOZLplyBQijk02fQjgKjakl0ol4N5G6Wr
09ufnSe3iOXVAay24hzFfgDkaijOnkoGOPJqnHaVzaWC9dxIuKUvDPt3UcKTkDv0Gka
Q4EZxAvZKAFImvOF4PmDoNaMiBgLLkWibGhezFTTDh10PLl9kyeVThGzAyN23J512pVM
3xqNIg3pFcd2aJf31xspt1HRdSwofkfnuCVpzildy3qMbae4g85KpCfND+aJ6z2LoUu3
RQ4OV4SpxMXEZ4PgSGZ6dwA==

Where is your new license?

When you request a new license, you should receive the license in an email from Splunk. You can also access that new license in your splunk.com My Orders page. To install a new license (or change and update your existing license), replace your existing license with the new license.

You can install and update your licenses from Splunk Web's Admin > License & Usage page or with the CLI.

Note: These instructions are for Splunk 3.0 and later, for earlier versions, see 2.2.3 instructions.

Install via Splunk Web

To install or update your license using Splunk Web:

1. Start Splunk and open Splunk Web in a supported browser.

2. On the upper righthand corner of any of the dashboards, click Admin.

3. Click License & Usage.
The Admin > License & Usage page displays your license level, peak usage and license violations.

4. Click Change License.
The License & Usage: Change License page opens and displays your existing license key or splunk.license file.

5. Copy your new license key and paste (overwrite) the existing license.

6. Click Save.

7. Restart your Splunk server to apply your new license.
Note: You can restart your server from Splunk Web. On the Admin > Server: Control Server page, click Restart Now.

Install via CLI

To install or update your license using the CLI:

1. Create a new file named splunk.license.

2. Copy your new license key and paste it into splunk.license.

3. Move your license file, splunk.license, into the $SPLUNK_HOME/etc/ directory:

mv splunk.license $SPLUNK_HOME/etc/

Note: If a splunk.license file already exists in this directory, mv will overwrite it without prompting for confirmation of the action. This does not overwrite the Free license, splunk-free.license. However, by default Splunk ignore the Free license file if splunk.license exists.

4. Restart your Splunk server to apply your new license:

$SPLUNK_HOME/bin/splunk restart

First login after applying new trial/Enterprise license

To log in for the first time after applying an Enterprise license (converting from free), use the default username "admin" with the password "changeme". If you later clean (reset) your user data, your username/password is reset to this default.

License violations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have more than 7 violations in a rolling 30-day period, search will be disabled. Search capabilities return when you have less than 7 violations in the previous 30 days or when you apply a new license with a larger volume limit.

Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.

If you have other issues with your license, refer to the Admin Manual for troubleshooting tips.

Uninstall Splunk manually

This topic discusses how to remove installed components of Splunk if you can't use package management commands.

Note: These will not remove any init scripts that have been created.

1. Stop Splunk.

$SPLUNK_HOME/bin/splunk stop

2. Find and kill any lingering processes that contain "splunk" in its name.
For Linux and Solaris:

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

For FreeBSD and Mac OS

kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

3. Remove the Splunk installation directory, $SPLUNK_HOME.

rm -rf /opt/splunk

3. Remove any Splunk datastore or indexes outside the top-level directory, if they exist.

rm -rf /opt/splunkdata

4. Delete the splunk user and group, if they exist.
For Linux, Solaris, and FreeBSD:

userdel splunk
groupdel splunk

For Mac OS:
You can use the System Preferences > Accounts panel to manage users and groups.

Upgrade Instructions

Upgrade and migrate to 3.2

You can upgrade and migrate directly to Splunk 3.2 from versions 3.0 and later. If you are currently running a version of Splunk that is older than 3.0, refer to this documentation for options.

When you upgrade to 3.2, your configuration files will be updated and changed to support the new functionality in 3.2. You can run the migration preview utility to see what will be changed before you actually upgrade and migrate.

Important: Before you perform the upgrade:

Review these migration considerations.
Back up your files.

1. Execute the $SPLUNK_HOME/bin/splunk stop command.

2. To upgrade and migrate from version 3.0 and later, install the Splunk 3.2 package over your existing Splunk deployment.

If you are using a TAR file, expand it into the same directory as your existing Splunk instance. This overwrites and replaces matching files but does not remove unique files.

If you are using a package manager, such as an RPM:

rpm -U splunk_package_name.rpm

3. Execute the $SPLUNK_HOME/bin/splunk start command.
The following output is displayed:

This appears to be an upgrade of Splunk.

--------------------------------------------------------------------------------

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk\'s installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose \'y\'.
If you want to see what changes will be made before you proceed with the
upgrade, choose \'n\'.

Perform migration and upgrade without previewing configuration changes? [y/n]

4. You're given the choice of running the migration preview script to see what changes will be made to your existing configuration files, or proceeding with the migration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

To accept the license and view the expected changes (answer 'n') before continuing the upgrade:

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

To accept the license and begin the upgrade without viewing the changes (answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Upgrade Splunk on Windows

Important: Before you upgrade:

Review these migration considerations.
Back up your files.
Stop Splunk either using the Windows Start menu option or by executing the $SPLUNK_HOME/bin/splunk stop command.
Be aware that you cannot change the user Splunk runs as during an upgrade. Do not change the user from the Windows Service Control panel; Splunk will stop working. If you must change the user, you must uninstall and reinstall Splunk.

1. Download the new MSI file from the Splunk download page.

2. Double-click the MSI file.
The Welcome panel is displayed. Follow the onscreen instructions to upgrade Splunk.
For information about each panel, refer to the installation instructions.
When you reach the Install step, you have the option to preview changes that will be made for this upgrade.

3. Preview your upgrade and migration if desired.

When you upgrade, your configuration files are updated and changed to support the new functionality. You can run the migration preview utility to see what will be changed before you actually upgrade and migrate. When you do this, a file containing the changes that the script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

The following text is displayed:

This appears to be an upgrade of Splunk.

--------------------------------------------------------------------------------

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk\'s installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose \'y\'.
If you want to see what changes will be made before you proceed with the
upgrade, choose \'n\'. 

Perform migration and upgrade without previewing configuration changes? [y/n]

Note for upgrading to 3.3.2 and later If you have made manual changes to the $SPLUNK_HOME/etc/system/local/inputs.conf file, make a backup copy of this file to compare the full migration changes, including any changes to Windows-specific type data inputs, after the process is complete. Some global settings (like "host = foohost") may not be preserved. See the known issues for version 3.3.2 for details.

4. You're given the choice of running the migration preview script to see what changes will be made to your existing configuration files, or proceeding with the migration and upgrade right away.

5. If you choose to view the expected changes (select N), the script provides a list.
You can scroll up to review the changes or look at them in $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>. At the end of the list, you will see an error message, which you can ignore.

6. Press Enter to return to step 3 and finish your upgrade by typing Y.

Start Splunk

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

Server daemon: splunkd
Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing

#  splunk.exe [start|stop|restart]

Note: If you do not select Start Splunk Services now, they will be set to manual startup and therefore will not start after a reboot. You must start them from the Windows Service Manager MMC, and optionally configure auto-start if you want them to start automatically at boot time.

Important: After upgrading, Splunk may start reading some files incorrectly as binaries. You can override this behavior in props.conf by adding NO_BINARY_CHECK = true to the source or sourcetype stanza.

Migration considerations

This topic discusses various issues and considerations you should review before upgrading to Splunk 3.2.
You should also review the Known Issues for additional information before you upgrade.

Scripts in /splunk/bin are not saved

If you have configured an alert to call a script, that script resides in $SPLUNK_HOME/bin/scripts. Make a backup of these scripts and reinstate them after the upgrade.

Saved searches

Be aware of the following regarding saved searches:

If the search contains fixed scheduling, and actually takes longer to run than the interval allows, the search will not work.
If your search contains foo=bar and you have an indexed field configured from previous versions as foo::bar, your search will fail if bar isn't anywhere in the raw data of an event. Make saved searches that fail for this reason work by either:
- adding or changing INDEXED = True or INDEXED_VALUE = False in the stanza for foo in fields.conf.
- changing your search in the search bar by replacing foo=bar with foo::bar.
Metadata commands like | admin or | metaevents are not supported, and will generate a warning.

Changes to indexes.conf

If you have made changes to the default values in indexes.conf, the configuration will not migrate. Make a backup of your changes and re-add them post-upgrade.

Must upgrade all instances of Splunk in a distributed environment

As mentioned in the Known Issues, you must upgrade all members of your distributed cluster to the same version.

Instances of Splunk deployment server must match clients

As mentioned in the Known Issues, if you are running Splunk's deployment server, you must upgrade the deployment server and all its clients to the same version. Splunk recommends that you upgrade your Splunk deployment server first, before you migrate your other Splunk instances.

If you are unable to migrate all clients at one time, you can set up two deployment servers, one for your new 3.2.x clients, and one for your 3.1.x clients. This way, you can move each client over to communicate with the 3.2.x deployment server as you are able to upgrade it.

Help

Getting Help

The most in-depth documentation for Splunk is within the set of manuals you're currently reviewing. However, you can also get help within Splunk Web and the command line interface.

Accessing help in Splunk Web

Click Help in Splunk Web to launch a set of help pages.

Accessing help in the command line (CLI)

From the command line on your Splunk Server host, type:

$SPLUNK_HOME/bin/splunk help

How can I learn more about Splunk's advanced features?

The best way to explore advanced features is to take the tutorial

You can also explore the command line interface using its inline help. To get started, type:

$SPLUNK_HOME/bin/splunk help

I lost my Splunk.com password. What do I do?

Use the recover password feature of the site to have your username and/or password emailed to the address on record.

How do I report problems?

Submit your issue with on our online case submission form or email us at support@splunk.com.

How can I make suggestions?

You can always send an email to our support team at support@splunk.com. Also check out our Live Roadmap where you can vote on upcoming features.

I have some questions that aren't answered here. Where can I get help?

Start with our Documentation.

For help from experienced Splunkers, come to our Wiki and check out what other people have done with their Splunk deployments.

For help -- yes, it's free! -- from the Splunk Support team, submit an online support case (you must be a registered user and log in to use this service). You can also use our IRC support channel. The channel name is #splunk on the EFnet IRC (irc.efnet.org) network.

Splunk customers with an enterprise license have additional premium support options. For full information on our support offerings, click here.

Reference

File Manifest

A complete inventory of the files and permissions that ship with your Splunk installation can be found in the root directory. For reference the manifest for each platform is available here:

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w
nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF
2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7
pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn
OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq
Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/
J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR
5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP
qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh
Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID
FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha
pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm
6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU
HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT
iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg
jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7
SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+
EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd
qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG
3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96
4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK
iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77
kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9
ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng
p4s=
=Mz6T
-----END PGP PUBLIC KEY BLOCK-----

Installing the key

Copy and paste the key into a file. Install the key using:

rpm --import <filename>