This document last updated: 12/23/08 08:12am

Print FAQ

General Information

General Info

What Is Splunk?

Splunk is the IT Search engine. It enables you to search and navigate all your logs and IT data in real time. It indexes logs and other data from any application, server or network so you can search and navigate them in real time.

Is Splunk a service, appliance or software?

Splunk is software that runs inside your corporate datacenter on your hardware and operating system of choice. It can optionally work with SplunkBase, which is a global troubleshooting wiki that we host.

What problem does Splunk software solve?

Splunk improves the availability of applications, servers, networks and email while reducing operational cost and meeting compliance objectives.

Who uses Splunk?

Everyone who looks at IT data manually today, from help desk to systems administrators to developers - in fact, most IT staff. Also, support, compliance and business users who escalate requests to look at information in logs to IT today can often use Splunk to become self-sufficient.

How is Splunk used most often?

Splunk is used for availability, security, compliance and business intelligence.

What is the ROI for deploying Splunk? Why should I use it?

Splunk delivers rapid ROI in four areas: availability, security, cost and compliance.

It enables extreme availability by slashing incident response times and enabling admins to see problems before failures occur.

It improves security by making it easier and faster to detect and investigate security issues.

It meets compliance requirements by providing user and activity tracking, change and policy control, and log data archiving and reporting.

It reduces operational costs by cutting the time spent for routine investigations, reducing the number of incidents by tracing true root cause the first time, and avoiding group analysis.

When is your next release?

We publish our roadmap online. You can vote on the features you most want to see.

Is Splunk open source?

Splunk is not open source, but we do offer a free license. We also publish developer APIs and sponsor SplunkBase, where the IT community is building rich content on troubleshooting topics under the creative commons license.

Company Background

Company Background

When was the company founded? When was the product released?

Splunk was founded in 2003 and released its first product in 2005.

Who are your investors? How much money have you raised?

Splunk's investors include Ignition Partners, August Capital, Sevin Rosen Funds and JK&B Capital, four world-class venture capital firms. Splunk has raised $40 million in three rounds of funding, with a $25 million Series C completed in September 2007.

How Splunk Works

Installation

How long does it take to install Splunk?

Splunk installs in minutes using standard rpm, pkg, dmg, deb and other installers. It doesn't require any external packages and installs cleanly into its own directory. Setting up live data inputs is easy via either the Splunk Web or commandline interfaces.

What is Splunk's impact on production systems, applications and networks? What is its memory footprint?

Splunk doesn't have to be deployed on production systems if there is existing network logging such as via syslog. If you do choose to install Splunk on production servers to locally read logfiles, the CPU and network footprint is the same as if you were tailing the same files and piping the output to netcat. The Splunk Server's memory footprint for just tailing files and forwarding them over the network is less than 30 MB of resident memory.

Does Splunk perform better with multiple CPUs or multiple Cores?

We expect Splunk to perform better with more cores because the cache is shared; hence, it is closer if two threads use the same memory.

Which platforms does Splunk run on?

Splunk should work on any Linux distro with a version 2.4+ kernel (x86) as well as FreeBSD?/x86, Solaris (Sparc and x86) and Mac OS X (PPC and Intel). But Splunk can process data from any networked device with any operating system, not just from servers running Splunk. See the main documentation for a complete list of system requirements.

Does Splunk need agents?

No. Splunk can process and index any format of log data without special adapters to interpret each format. It can access data remotely via syslog, SNMP, or by watching files mirrored via rsync or rotated to a central log host with scp or ftp. You can choose to deploy Splunk to access logfiles in real time on production hosts if you have datasources that don't support remote logging, but this is the same Splunk software package and not a special agent.

Accessing data

What kind of data does Splunk support? Does Splunk support (name of product/log format here)?

Splunk universally supports all kinds of IT data in any format from any device or application. There is no functionality that requires special parsers or adapters for particular data formats. This universal data support depends on powerful algorithms that can learn how to process new sources automatically.

Does Splunk integrate with any products?

Splunk does not require integration to handle data from particular products. We do have numerous integration features including a browser toolbar, scripted alerts and a REST API for search that allows for seamless user interface and alerting workflow integrations. Our professional services team can also deliver integration services and has helped customers integrate with products such as Tivoli, Netcool, HP Openview, BMC Patrol and Nagios.

Can Splunk access data on Windows? How?

Starting with version 3.2, Splunk supports installation on the majority of Windows operating systems currently deployed today, with all of the great Splunk features offered on other platforms. This includes native support for Windows event logs. Refer to the Windows installation instructions to get started.

Can Splunk access data on mainframes? How?

Yes. Mainframe logs can be routinely scp'd or ftp'd (depending on the specific mainframe) to a server running Splunk. Once there, they can be accessed like any other kind of data, as Splunk does not depend on adapters for specific log formats.

How does Splunk access data sources?

Splunk can read data in real-time from logfiles, FIFO queues, network ports, or databases. Splunk can be installed across hundreds of production hosts and forward to one or more central Splunk servers for real-time distributed data access. Read the Admin Manual for more information.

Can Splunk send alerts?

Yes, you can schedule any search and establish rules to alert via email, RSS or by triggering a shell script.

Can I generate reports with Splunk?

Yes, you can summarize the results of any search using either Splunk's built in statistical operators such as stats, sort and top or using full SQL select statements. However, instead of reporting on data stored in a structured schema in a relational database, Splunk's reports run on fields that are dynamically extracted at search time so it's flexible enough to be trained to recognize new fields without re-indexing the data.

Reports can be charted in many different formats, exported to csv, added to dashboards and scheduled for delivery in email.

Does Splunk support compliance?

Yes, Splunk supports compliance mandates that require you to collect and retain log data and generate alerts and reports on particular kinds of log events. It also helps meet compliance mandates that restrict access to production machines, as Splunk can provide developers and others the access they need to production logfiles without giving them access to the production machines themselves. Many of Splunk's customers use it to satisfy compliance mandates from PCI to SOX.

Does Splunk collect data securely and protect data integrity?

Yes. Splunk accesses data remotely in real time and can use encrypted network connections, so that data is not subject to tampering on a compromised host. Splunk's interface provides auditable, read-only access to the data via a web or commandline interface with user access controls.

How does Splunk deal with logs from different time zones?

Splunk can normalize timestamps based on per-host time offsets that you supply in a configuration file. It also reads and uses timezones in timestamps it finds in log events, if they are present. It normalizes all timestamps to the timezone of the host where the Splunk Server is indexing its data.

What if my logs don't have timestamps?

Splunk makes every effort to find a timestamp in the logfile. If some events lack timestamps, it uses the timestamp last seen until it encounters a new timestamp. If there are no timestamps whatsoever, Splunk assumes that you're accessing data in real time and uses the current time as the timestamp. You can configure Splunk to read the date from the filename as well.

What are the differences between user levels (User, Power User, Admin) in Splunk when running with an enterprise license?

A basic User can search for data, create personal Saved Searches and Alerts, and edit his or her own account info. A Power User can tag event types, edit source types, and create shared Saved Searches that appear on all users' menus. An Admin can also add, edit or delete other users' accounts, configure data inputs, configure server settings, and set up data forwarding, receiving, and cloning.

What language is Splunk written in?

Splunk is a high performance, distributed software server written in C/C++ and Python. The core data processing, indexing and search uses C/C++ for maximum performance.

Data Management

Does Splunk store copies of my log data?

Yes. Splunk stores a compressed copy of the log data along with its index. Once Splunk has accessed a piece of data, it does not matter if you rotate out your logfiles or destroy the original data in any other way.

How does Splunk store its data? Does it use a relational database? What database does it use?

Splunk stores its data using its own highly efficient search index. It is a technology that is closer to that of most search engines than SQL relational databases. It's impossible to get Splunk's instantaneous search results on anything in the original data with a relational database, which can only index a few columns. Also, the search index approach is far more flexible to work with any kind of data without adapters or parsers.

How is the index structured?

Splunk has a concept of hot,warm,cold and frozen 'slices' or 'buckets' of data. A slice is considered hot if we are actively writing/reading from it. This slice is the $SPLUNK_HOME/var/lib/splunk/defaultdb/db/hot-db/ dir. As the hot slice approaches a set limit (configurable) it is rolled to a warm slice. Warm slice can be written to but usually aren't. They have the dir structure of db_timestamp1_timestamp2_sequence_number and are located in $SPLUNK_HOME/var/lib/splunk/defaultdb/db/. Timestamp1 is the oldest event in that slice and timestamp2 is the earliest event in the slice. The sequence number is the order of the generation of the slices. The data is then moved into the colddb ($SPLUNK_HOME/var/lib/splunk/defaultdb/colddb), depending on how many warm slices you have (again configurable). In the colddb no new events are indexed, they are only searchable. From here depending on your configuration, data is moved out of the index completely. Events are moved out depending on date(age) or total index size. You have the option of saving the data in a frozen state (not searchable or writable), before they are removed from the index. If this data ever needs to be searched you can drop the db_*_*_* dirs into the $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb dir.

Does Splunk compress the data it stores?

Yes. Splunk compresses the original data within its datastore, then adds its indexes and metadata.

What are Splunk's storage requirements?

With default processing Splunk uses about 40% of the uncompressed raw log volume for standard syslog data and up to 100% for many other common log formats. Some data sources and configurations (such as heavy use of meta-events) may cause Splunk to use more while lowering density of indexing can reduce utlization to as little as 12%. In general, Splunk offers the highest search performance at the lowest storage cost relative to any other technology for log data retention.

How much data can Splunk store online? How long can Splunk keep data online?

As much as you want. You control how much data Splunk stores online by means of setting its data retirement policy. Splunk's search performance when looking across a day of data is the same whether the data store contains a day or years of data.

Can Splunk automatically retire older data? How do I avoid running out of disk space?

Yes, Splunk has settings to retire the oldest data based on age and disk usage. It also has a setting for the minimum disk space to keep free. Read the Admin Manual for more information.

Splunk's stopped indexing my data. Is that because I exceeded my license limit?

No. Splunk never stops indexing data because of license violations. It only blocks search if there are repeat violations. If your Splunk server has stopped indexing, there is another explanation. Contact support@splunk.com for help.

How scalable is Splunk? How does Splunk scale?

Splunk's software architecture is designed to be extremely scalable. It can be deployed in minutes to index a few hundred megabytes a day on a server shared with other applications like monitoring, or it can be deployed across dozens of dedicated indexing servers and thousands of source hosts to index terabytes a day in real time.

How dense is the index?

Dependant on how much segmentation is done on the data. For example if we segment 1.2.3.4 based on . (period) we would have to store 1, 1.2, 1.2.3 and so on in the index, which would bloat the index a lot. All this is configurable (however changing the default is not recommended)

http://www.splunk.com/doc/2.2.6/admin/adminreducedensity

Search

What search technology underlies Splunk? Lucene?

Splunk has developed its own search technology specifically designed for the unique problem of indexing IT data in real-time. Splunk's R&D team includes some of the world's foremost search engine architects and they've spent years solving problems that are unique to this class of data.

Does Splunk do correlation?

Yes, Splunk has many features that correlate data. Splunk automatically classifies datasources and events, so that you can search for all occurrences of the same type of events over time, and alert based on seeing more than a certain threshold of a like set of events. It also automatically finds relationships based on values in the events, such as shared usernames and threadids. You can correlate data on an ad hoc basis by navigating events sharing IP addresses, user names and other values just by pointing and clicking. It provides robust alerting. Splunk 3.0's expanded search language lets you perform complex correlation within a single search, such as finding all IP addresses with more than10 firewall denies that also have accepts.

Licensing

What are the differences between the free and enterprise licenses?

Splunk will run with a free license which allows you to index up to 500 MB/day, or you can buy an enterprise license to get higher data volumes, additional features, and support. You can also register for a free 30-day trial enterprise license. Best of all there's just one download and just one software package - just drop in an enterprise license to enable the enterprise features!

For a complete breakdown of the differences click here.

What happens when my trial license expires?

Splunk will continue to index data but search will be blocked until you plug in a new license.

Does indexing stop if I reach the limit of my license?

No. Splunk will always index the data. If you exceed your license limit a violation will be recorded.

What happens when I exceed my license limit?

Splunk allows up to a set number of violation days in a rolling 30-day period, since we know that sometimes you'll have an unpredictable one-time spike. For 3.0 and later the limit is 7 violations in the 30-day period. If you exceed the limit more than the allowed number of days, searches will be blocked. You will see warnings starting with the first violation before then, and then the notice that searches are blocked. The violation banner will persist for 7 days from the last violation. In any case, indexing will continue since we don't want you to lose data. You can start searching again as soon as a full day passes that stays within the allowed volume, or you enter a new license.

My 2.x license doesn't work with 3.0

Version 3 introduces a new license key format. If you are an existing 2.x customer your license will not work with 3.0. Plus Support customers are entitled to upgrade their 2.x license to 3.0. Contact Splunk Support for your 3.0 license.

Purchasing Splunk

Purchasing Splunk

How much does Splunk cost? How is it licensed?

Splunk's pricing model is simple - licensed perpetually, pricing is based on the peak daily volume of raw uncompressed data indexed across your entire environment. If you need to increase your license to index more data later on, you can upgrade at any time. See the Splunk Store for more details on pricing.

How do I know how much data I have?

You can try the free license or a 30-day trial Enterprise license and watch to see your utilization during the trial as recorded by Splunk itself. Splunk 3.0 comes preconfigured with an admin dashboard that shows your indexing utilization on a daily and hourly basis. You can also talk with a member of the Splunk Sales team to help you determine how much data you'll want to index.

Can I re-use the same license key on different servers?

No. While you can split a single license purchase across different servers, you must ask support for different keys for each server and tell us how you want to divide your license. For example, if you want to split a 200 GB license purchase across two servers each indexing 100GB, you must ask us to deliver 2 100 GB keys rather than using a single key on both servers. Forwarding servers may use a Free license and still forward to an indexing server with an Enterprise license.

What is Splunk's service and support offering?

We help members of the community via Forums, free online documentation, an IRC channel and answer emails sent to support@splunk.com. Splunk Plus Support offers Enterprise license customers telephone support, guaranteed response times and access to an online case portal. See our support overview for details of these offerings.

Does Splunk offer installation assistance and other professional services?

Yes. Splunk offers deployment design, installation, configuration, customization and integration services on a packaged and per-day basis. Read more about our professional services .

Does Splunk offer training?

Yes, we have a full training course offering.

Can I schedule a demo with Splunk Sales?

Of course. Contact sales@splunk.com.

Can I get an extension for my trial license?

Contact sales@splunk.com.

Splunk Base and the Splunk Community

SplunkBase and the Splunk Community

What is SplunkBase?

SplunkBase is an IT knowledge base that allows Splunk users to share bundles of reports, dashboards and other configuration to add to their Splunk servers as well as exchange information about their IT problems.

How do I use SplunkBase?

If you're using Splunk, you can access SplunkBase knowledge about specific event types in your data by clicking "Lookup Event" next to any search result.

You can also go directly to the SplunkBase site on the Web and search, browse, add information about topics and events, and contribute bundles.

How does the Splunk Community fit with the Splunk software product?

SplunkBase is a unique vehicle for developers and sysadmins to share Splunk solutions and their troubleshooting experience. When a sysadmin views a troubling event in their server, router, service, or software program they have the ability to instantly look up that event in SplunkBase. This community-driven knowledge base provides detailed information on what is happening and why. The system can recognize what software they are using and connect that user with other community members with similar issues and successes.

In addition, Splunk users can find tons of bundles and add-ons for the Splunk product through SplunkBase. All throughout the site, related bundles and add-ons are listed according to the particular page you are visiting, and a bundles browser is also included if that's your primary interest. You can also share your own bundle creations through SplunkBase.

How many members does the Splunk Community have?

The community is thousands of users and growing daily.

Aren't there already a number of communities for systems administrators? Why should they come to SplunkBase?

There are a number of user groups and forums for syadmins and these groups have had some success, but have limited scope. The Splunk community is unique in that it is creating a wiki of event data and troubleshooting techniques around a broader spectrum of technologies, and many of these interoperate in ways that such a wiki can richly follow. Along the way, the community is creating a rich knowledge base of information related to specific log events. When a sysadmin has a specific problem and they examine their log files, they can not only look up what the event means, but also join a dialog of other sysadmins or developers who are facing similar issues. Having a rich database of knowledge (SplunkBase), a powerful troubleshooting tool (Splunk) and a engaging collaborative website provides a unique experience to the IT professional that is not available in other places on the web.

Customers and Partners

Customers and Partners

Who are your partners?

We're working with an ecosystem of partners to integrate Splunk with leading software, hardware and service vendors in the data center.

Our Splunk Powered program enables partners to offer IT Search embedded within their own solution making it possible to troubleshoot issues in real-time. With Splunk Powered products Vendors' customers can perform ad hoc investigations, alert on multi-component problems and report on activities across your solution and the pieces of the data center it interacts with. Splunk is currently embedded in products from a variety of vendors in email, security and network management.

Splunk also integrates with leading systems management suites and participates in the partner programs of major vendors including IBM, HP, BMC, CA and Juniper.

Who are your customers? How many customers does Splunk have?

More than 150,000 people have downloaded Splunk, as well as more than 600 enterprises, service providers, and government agencies, including 21st Century Insurance, Aetna, BEA, British Telecom, Catholic Healthcare West, Chevron, Cisco, Comcast, Dow Jones, LinkedIn, Motorola, NASA, Orbitz, Raytheon, Riverbed, Shopzilla, T-Mobile, Telstra, Thomson, Verisign, Verizon, Visa, and Vodafone are Splunk customers.

Do you have a reseller program?

Yes. Contact partnering@splunk.com for more information on becoming a Splunk reseller.

Do you OEM your product?

Yes. Splunk Powered delivers OEM partners the ability to rapidly search IT data across both their own products and interfacing technologies to investigate issues as they happen. With it partners can:

• Increase end user satisfaction by reducing mean time to repair (MTTR)
• Provide more value to their customers by extending troubleshooting capabilities beyond their own products into all technologies that interface with their systems
• Reduce costs by increasing the efficiency of their internal support and consulting teams

Contact partnering@splunk.com for information on the Splunk Powered OEM program.

Getting Started

Getting Started

How do I start?

If you haven't installed Splunk yet, read the Installation Manual. If you've already installed it, point your browser at port 8000 on your server. If you have an enterprise license, you will need to login with the default username "admin" and password "changeme."

I just installed Splunk with an enterprise and I'm trying to log into the web interface for the first time. It's asking me for a username and password. What are they?

The default username is "admin" and the password is "changeme."

How do I index a file?

Log into the Splunk web interface as an administrator and click on the "Admin" link at the top left. Then click on data inputs and follow the interface instructions from there.

Alternately, type $SPLUNK_HOME/bin/splunk help input for assistance with adding data via the commandline.

I've gotten to my Splunk interface, but what do I search for?

You should have a list of source types and hosts and sources toward the middle of your Splunk home page. Choose one, click and you will see all associated events.

Or you can open the Splunk drop-down menu at the top of the UI. Hover over "Saved Splunks" and choose "all." This search will return every event (up to the 10,000 most recent) in your Splunk index.

Can I install a new version of Splunk over an older version, without losing any of my configurations or data?

Yes. See the Installation Manual for instructions.

Accessing Data

Accessing Data

How can I customize the way Splunk handles my data?

See the Admin Manual for information on configuring Splunk to handle a variety of data types.

How can I tell if all my data has been indexed?

The total number of events in your index is listed on your Splunk Web homepage. For more information, click the Admin link in the upper right corner of the homepage. The Admin page includes an Input Status tab that lists each method of data input, including which methods are still processing files.

Splunk for index::splunklogger to see the history of everything your server has done since startup.

I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?

A Splunk search defaults to the most recent 10,000 events, almost always sorted by time. To see more than 10,000 events, change the setting in the Preferences menu in Splunk Web.

How do I configure Splunk to index archived (non-growing) files?

In Splunk Web, choose Admin > Data Inputs > Files and Directories and add a directory. Choose "Watch and copy" or "Watch and symlink" in the dropdown under source.

How do I configure Splunk to index live (constantly-growing) files?

In Splunk Web, choose admin > Data Inputs > Files and Directories and add a file or directory. Choose "Tail" in the dropdown under source.

Can I set up a live input of data from different hosts to my central Splunk server?

Yes, for both the free and enterprise license (although an enterprise license makes it a lot easier).

If you have a free license, either mount your remote log files, or use remote syslog to send data from your production hosts to a syslog file on the Splunk server. Then, load this data into your Splunk Server. If you have an enterprise license, you can install Splunk on your production hosts to access local data and forward from those Splunk servers to your central Splunk server in real time over TCP. All your options for deploying Splunk across a network are described in our Deployment section.

Windows

Does Splunk run on Windows?

Splunk now runs on Windows; visit the download page to get your copy!

How Splunk Handles Data

How Splunk Handles Data

Splunk is handling multiple events as one. Splunk is splitting multiple line events in the wrong place. How do I fix that?

You can override Splunk's default multiline event handling rules by editing properties set by source or sourcetype. Complete instructions can be found in the Admin Manual. You can see examples in the example files in $SPLUNK_HOME/splunk/etc/bundles/.

Splunk is not recognizing my timestamps correctly. How do I fix that?

You can train Splunk to recognize timestamps better. Run $SPLUNK_HOME/bin/splunk train dates to teach Splunk the dates to extract from your datasources.

I want to add custom fields such as user:: to the default fields like source::. How do I do that?

You can specify additional fields to be indexed or extracted at search time in properties configuration files. Instructions can be found in the Admin Manual. You can see examples in the example files in $SPLUNK_HOME/etc/bundles/props.conf.example and $SPLUNK_HOME/etc/bundles/transforms.conf.example.

I have some sensitive data. Can I garble it before it gets indexed?

Yes. There is an anonymizer you can use to maintain confidentiality. Please see the section of our Admin Manual on Anonymizing your Data Samples.

I want to search for messages in my email logs based on both sender and recipient, but these are recorded in different events with a common message id. Can Splunk handle that?

Yes. You will have to configure Splunk to recognize the common field and tell it to create meta-events to summarize all events with that field in common. You can see examples in the example files in your $SPLUNK_HOME/etc/bundles directory and in the Admin Manual.

Does Splunk read milliseconds?

Yes, introduced in Splunk 3.2, we now have support for parsing milliseconds as part of the indexed timestamp field

Administration

Administration

I need to change the ports Splunk uses. How can I do this?

In the Splunk web interface go to Admin > Server > Settings. You can change the ports there. You will be prompted to restart Splunk for the settings to take effect.

I want to clear out my index. How do I do that?

Run the command $SPLUNK_HOME/bin/splunk help clean to see options for erasing all of your data or just specific indexes.

Integrating and Extending Splunk

Integrating and extending Splunk

Can I use SOAP or REST to talk to Splunk from another application?

Yes. See our Developer's Manual.

Can I send alerts based on Splunk search results?

Yes, you can save, schedule and set alerting options for any search via email, RSS and custom scripts.

Troubleshooting

Troubleshooting

I've just applied the Enterprise License and Splunk now wants me to log in. What are my login credentials?

The default username is admin and password is changeme.

I type in a term I know is in my data. Why don't I get any results?

Splunk indexes data by breaking it into segments. It searches for exact matches. If you type in "foo," Splunk expects to find a segment that is an exact match to "foo." It won't match "sfoo" or "food." For these types of searches, you can use the * as a wildcard (e.g."*foo" or "foo*").

If that doesn't work, start with a more broad search, such as "meta::all." To see how Splunk has broken your events into segments, mouse over a result - each separate string that highlights is a separate segment.

I go to the URL for my Splunk server and there's nothing there. What do I do?

First, make sure you have the right server URL. Try to telnet or ssh to the host. If you can login, check to see if both Splunk processes are running. At the shell prompt, type $SPLUNK_HOME/bin/splunk status. Or just use the ps command. You should see two processes - splunkd and splunkWeb (twisted.py).

Restart the Splunk server by typing "splunk restart." It should report [ OK ] for both splunkd and splunkWeb.

Splunk starts but Splunkd won't start. What do I do?

Make sure you have the correct path when you are starting Splunk. The best way to verify this is to navigate into $SPLUNK_HOME/bin and type ./splunk restart. ($SPLUNK_HOME is the path you installed in). If Splunk still won't start, contact support.

The webserver is saying splunkd is down but it isn't. What is the matter?

The webserver needs to connect to the splunk daemon via the management port; by default this port is 8089. The most common reason for this error is the webserver is unable to connect to this port. Some good things to check

• Is there a firewall that is blocking access to the management port
• Can the system resolve localhost
• Is there another instance of Splunk running on this machine

I'm running low on disk space. What do I do?

See our Admin Manual section on Index Management.

I've made some config changes, but I'm not sure if they're working.

See the Admin Manual section on Testing Configuration Changes.

My 2.x license doesn't work with 3.0

Version 3 introduces a new license key format. If you are an existing 2.x customer your license will not work with 3.0. Plus Support customers are entitled to upgrade their 2.x license to 3.0. Please contact Splunk Support for your 3.0 license.

If you are using the free license you can perform the following steps:

• Stop Splunk (./splunk stop)
• Copy $SPLUNK_HOME/etc/splunk-free.license to $SPLUNK_HOME/etc/splunk.license
• Start Splunk (./splunk start)

I can't export results in Internet Explorer 6

There is a bug in Internet Explorer with regard to file downloads over SSL. The problem and resolution are documented here

How do I disable the "Checking for Updates" message?

Add this to your [settings] stanza in web.conf (create a new file in $SPLUNK_HOME/etc/system/local if necessary):

updateCheckerBaseURL = 0

Getting Help

Getting Help

How can I learn more about Splunk's advanced features?

The best way to explore advanced features is to take the tutorial

You can also explore the commandline interface using its inline help. Type $SPLUNK_HOME/bin/splunk help to get started.

I lost my Splunk.com password. What do I do?

Use the recover password feature of the site to have your username and/or password emailed to the address on record.

How do I report problems?

Submit your issue with on our online case submission form or email us at support@splunk.com.

How can I make suggestions?

You can always send an email to our support team at support@splunk.com. Also check out our Live Roadmap where you can vote on upcoming features.

I have some questions that aren't answered here. Where can I get help?

Start with our Documentation.

Read or ask questions on SplunkBase.

For help -- yes, it's free! -- from the Splunk Support team, submit an online support case (you must be a registered user and log in to use this service). You can also use our IRC support channel. The channel name is #splunk on the EFnet IRC (irc.efnet.org) network.

Splunk customers with an enterprise license get additional premium support options. For full information on our support offerings click here.