This document last updated: 08/29/08 04:08pm

Print Installation Manual

Read This First

System requirements

Check the release notes for details on known and resolved issues, and refer to the download page for the latest version to download.

Caution: Splunk does not provide a direct upgrade path to version 3.2.x from versions earlier than 3.0. You cannot upgrade directly from 2.x to 3.2. If you are upgrading from an earlier version of Splunk, refer to the upgrade and migration instructions for upgrading to 3.0 and upgrade to 3.0 or 3.1 before proceeding.

Host operating system

• Linux 2.6+ kernel Linux distributions (x86 and x86_64) and major 2.4+ kernel Linux distributions with NPTL (x86)
• Solaris 8, 9 & 10 / Sparc
• Solaris 9 & 10 / x86
• Mac OS X 10.4+ / x86 and PPC
• FreeBSD 6.1 (6.2 for 64-bit versions) or later
• AIX 5.2 and 5.3
  • AIX 5.4 has not yet been tested by Splunk. If you want to give it a try, please install it on a test server and send us feedback.
• Windows 2000 Server (32-bit)
• Windows XP Professional (32-bit)
• Windows 2003 Server (32-bit)

Note: Splunk is certified to to run on English versions of Windows only. Non-English operating systems are not supported.
Note: Windows registry monitoring is not supported on Windows 2000 due to an issue with a Windows 2000 dll. If you can upgrade to IE7, this issue is resolved because the dll is updated as well.

Client operating system / browser (for access to Splunk Web)

• AIX, BSD and Linux: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Mac OS X: Firefox 1.5 or 2.0; Adobe Flash 9 or higher
• Windows: Internet Explorer 6 or 7 or Firefox 1.5 or 2.0; Adobe Flash 9 or higher

You can verify your installed version of Flash here

Hardware capacity requirements

Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment; this hardware should meet or exceed the recommended hardware capacity specifications below.

For all installations, a minimum of 2GB hard disk space is required, including lightweight forwarders.

Note: Running Splunk in virtual machine (VM) mode on any platform will degrade performance.

Recommended hardware capacity

Non-Windows platforms:
2x3.4 GHz CPU, 4 GB RAM
Windows platforms:
Multi-core Xeon or equivalent at 3Ghz, 4GB RAM

Minimum supported hardware capacity

Use the minimum supported hardware guidelines for personal use of Splunk.

Non-Windows platforms:
1x1.4 GHz CPU, 1 GB RAM
Windows platforms:
Pentium 4 or equivalent at 2Ghz, 2GB RAM

Supported server hardware architectures

32 and 64-bit architectures are supported for some platforms. Splunk is supported on 32-bit Windows platforms only. See the download page page for details.

Supported file systems

• Linux - ext2/3, reiser3, XFS
• Solaris - UFS, ZFS, VXFS
• FreeBSD - FFS, UFS
• Mac - HFS
• AIX - JFS, JFS2, NFS 3/4
• Windows - NTFS, FAT32

Note: Most other file systems are supported. If you run Splunk on a filesystem that is not listed above, Splunk may run a startup utility named locktest. Locktest is a program that tests the start up process. If locktest runs and fails, the filesystem is not suitable for running Splunk.

Note: On FreeBSD, mounting as nullfs is not supported.

Storage and performance notes

• For standard syslog data, provision up to 50% of raw data size. This is tunable down to 12% with lower indexing density.
• For other data sources, your compression rates may be lower and your storage requirements may be higher.
• For more information on ways to reduce your index density, click here

Step by Step Installation

Before you install

Before installing Splunk on your system:

• Read the system requirements.
• Check the release notes for details on known and resolved issues.
• Refer to the download page for the latest version to download.
• If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Some platform-specific installers come in both a package form and a tarball. Follow the instructions for your specific package or tarball.

Installing as root

Splunk must run as root or as a member of the splunk group. When installing from any type of package manager that isn't a tarball, you must install as root. When you install Splunk with root privileges, it creates the user splunk and group splunk (if they do not already exist). If you do not install Splunk with root privileges, it won't attempt to create users or groups.

Splunk can run as any user on the local system. However, the user Splunk runs as must have access rights to read all the data inputs you define. Keep in mind that some files and directories may be in privileged locations and therefore will not be indexed if you don't have the correct ownership settings.

Running Splunk on Windows

The user Splunk runs as must have permissions to:

• Run as a service.
• Read whatever files you are configuring it to monitor.
• Write to Splunk's directory.

Disabling update checker

Splunk Web is configured to check for new versions of itself. If you are running Splunk on a LAN that is not connected to the rest of the Web, you will want to disable this feature.

What ports Splunk uses

Splunk uses two network ports by default; ports 8000 (Splunk Web) and 8089 (management port) are opened initially. You can also enable SSL for Splunk Web after you install.

What gets installed

For a complete list of files that Splunk installs, refer to the file manifest for your platform, located in $SPLUNK_HOME, at the same level as the /etc directory.

Advanced installation topics

Before you start Splunk for the first time, review the topics under Advanced Installation. The topics include configuring Splunk to start at boot time, bind to an IP, and run as a non-root user.

AIX installation

This topic will guide you through installing Splunk on the AIX platform.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The AIX install comes in tarball form only. We plan to provide a native install package in a later release.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

To install Splunk on an AIX system, expand the tarball into an appropriate directory. The default install directory is /opt/splunk.

For AIX 5.3, check to make sure your service packs are up to date. Splunk requires the following service level:

$ oslevel -r
5300-005

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

• hostname is the host machine.
• port is the port you specified during the installation (the default port is 8000).

2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.

FreeBSD installation

This topic will guide you through installing Splunk on the FreeBSD platform.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The FreeBSD builds comes in two forms: an installer (5.4-intel) and a tarball (i386). Both are TGZ files.

Basic install

To install FreeBSD using the intel installer:

pkg_add splunk_package_name-5.4-intel.tgz

To install Splunk in a different director:

pkg_add -v -p /usr/splunk splunk_package_name-5.4-intel.tgz

Tarball install

To install Splunk on a FreeBSD system, expand the tarball into an appropriate directory. The default install directory is /opt/splunk.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

After you install

To ensure that Splunk functions properly on FreeBSD, you must:

1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB
machdep.hlt_cpus=0 

vm.max_proc_mmap=2147483647

A restart of the OS is required for the changes to effect.

What gets installed

To see the list of Splunk packages:

pkg_info -L splunk

To list all packages:

pkg_info

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

• hostname is the host machine.
• port is the port you specified during the installation (the default port is 8000).

2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

To uninstall Splunk from the default location:

pkg_delete splunk

To uninstall Splunk from a different location:

pkg_delete -p /usr/splunk splunk

Linux installation

This topic will guide you through installing or upgrading Splunk on the Linux platform.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The Linux build comes in three forms: RPM, DEB, and tarball.

RedHat, RPM install

To upgrade an existing Splunk installation using the RPM:

rpm -U splunk_package_name.rpm

To install the Splunk RPM from scratch:

rpm -i splunk_package_name.rpm

Note: These commands install Splunk into the default directory /opt/splunk.

To install Splunk in a different directory:

rpm -i --prefix=/opt/new_directory/splunk splunk_package_name.rpm

To verify the RPM package signature, refer to our PGP public key.

Debian, DEB install

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location, /opt/splunk.

Important: There is an issue with the 3.3 Debian package resulting in errors when you try to start Splunk. To work around this issue, once you've run the installer, edit /var/lib/dpkg/info/splunk.postinst and modify line 13 by adding a / before opt (SPLUNK_HOME="/opt/$PRODUCT". Then run the script: sh /var/lib/dpkg/info/splunk.postinst . This completes the installation and you can then start Splunk.
This issue will be resolved in the next maintenance release.

Tarball install

To install Splunk on a Linux system, expand the tarball into an appropriate directory. The default install directory is /opt/splunk.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

• hostname is the host machine.
• port is the port you specified during the installation (the default port is 8000).

2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.

RedHat Linux

To uninstall from RedHat Linux

rpm -e splunk_product_name

Debian Linux

To uninstall from Debian Linux:

dpkg -r splunk

To purge (delete everything, including configuration files):

dpkg -P splunk

Mac OS installation

This topic provides detailed instructions for installing Splunk on Mac OS.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The Mac OS build comes in two forms: a DMG package and a tarball. Below are instructions for the:

• Graphical (basic) and command line installs using the DMG file.
• Tarball install.

Graphical install

1. Double-click on the DMG file.
A Finder window containing splunk.pkg opens.

2. In the FInder window, double-click on splunk.pkg.
The Splunk installer opens and displays the Introduction, which lists version and copyright information.

3. Click Continue.
The Select a Destination window opens.

4. Choose a location to install Splunk.

• To install in the default directory, /Applications/splunk, click on the harddrive icon.
• To select a different location, click Choose Folder...

5. Click Continue.
The pre-installation summary displays. If you need to make changes,

• Click Change Install Location to choose a new folder, or
• Click Back to go back a step.

6. Click Install.
Your installation will begin. It may take a few minutes.

7. When your install completes, click Finish.

Command line install

1. To mount the dmg:

hdid splunk_package_name.dmg

2. To Install

• To the root volume:

installer -pkg splunk.pkg -target /

• To a different disk of partition:

installer -pkg splunk.pkg -target /Volumes\ Disk

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk.

To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

Tarball install

To install Splunk on a Mac OS, expand the tarball into an appropriate directory. The default install directory is /Applications/splunk.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

• hostname is the host machine.
• port is the port you specified during the installation (the default port is 8000).

2. Login to Splunk with username admin and password changeme.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.

Solaris installation

This topic provides instructions for installing Splunk on Solaris systems.
Note: If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Install Splunk

The Solaris build comes in two forms: a PKG file and a tarball.

Native install

The PKG installation package includes a request file that prompts you to answer a few questions before Splunk installs.

1. To install Splunk using a PKG file:

pkgadd -d ./splunk_product_name.pkg

2. Select the packages you wish to process (the default is "all").

3. Next, the installer prompts you to specify a base installation directory.
To install into the default directory, /opt/splunk, leave this blank.

Tarball install

To install Splunk on a Solaris system, expand the tarball into an appropriate directory. By default, Splunk installs into /opt/splunk/.

Note: When installing with the tarball:

• Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually.
• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed

Splunk package info:

pkginfo -l splunk

List all packages:

pkginfo

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. For more information, refer to the instructions on running Splunk as a non-root user.

Note: If you are installing on Solaris 10, refer to this page for additional information about configuring user privileges.

To start Splunk from the command line interface, run the following command:

 $SPLUNK_HOME/bin/splunk start

Note: By convention, this document uses:

• $SPLUNK_HOME to identify the path to your Splunk installation.
• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to Splunk startup options

If this is an upgrade to 3.2 or later, you have the option of reviewing changes to be made to your configuration files during migration. Refer to the upgrade instructions for more details.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://mysplunkhost:port, where:

• mysplunkhost is the host machine.
• port is the port you specified during the installation (8000).

2. If you are running Splunk with a Free license, Splunk Web launches without prompting you for login information. If you are running Splunk with an Enterprise license, Splunk Web prompts you for login information (default, username admin and password changeme) before it launches.

Manage your license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package are retained. These files include your configuration and index files which are under your installation directory.

pkgrm splunk

If you can't use package management commands, follow the instructions for manually uninstalling Splunk components.

Windows installation

If you are upgrading Splunk for Windows from version 3.2.x to 3.3.x, please review the the Windows migration instructions before proceeding.

Note: When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as. If you install Splunk as the LOCAL SYSTEM user, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. If this Splunk instance is only acting as a collector and forwarder of local data, however, this is acceptable.

Install Splunk

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.
The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.
The Customer Information panel is displayed.

4. Enter the requested details and click Next.
The Destination Folder panel is displayed.

Note: Splunk is installed by default into the \Program Files\Splunk.

5. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.
The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk as the local system user, or a domain admin.

The user Splunk runs as must have permissions to:

• Run as a service
• Read whatever files you are configuring it to monitor
• Collect performance or other WMI data
• Write to Splunk's directory

Note: If you install as the local system user, some network resources may not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Only local data collection with WMI will be available. Contact your systems administrator for advice if you are unsure what user to specify.

6. Select a user type and click Next.
If you specified the local system user, proceed to step 8. Otherwise, the Logon Information: specify a username and password panel is displayed.

7. Specify a username and password to install and run Splunk and click Next.
Note: To use an existing user, you can enter or browse for the username and domain details. However, if you cannot browse to the user you wish to use, the installation will fail. Splunk recommends that you browse to the domain and username to ensure that you select a valid user.
Important: This panel currently contains a New User Information... button. This button is nonfunctional.

The Configure Splunk Data Sources panel is displayed.

8. Check or uncheck boxes to tell Splunk what data you want monitored and indexed:

• Select which Windows event logs you want indexed
• Choose which local registry hives to monitor, and whether or not Splunk should establish a baseline snapshot for them when it starts next. Refer to the documentation about Windows registry inputs for information.
• Choose to enable WMI collection of local system data. Refer to the documentation about WMI inputs for more information.

Important: If you choose to enable baseline snapshots of your local registry hives, the next time you start Splunk, it may take a long time to start up and use significant system resources while processing the snapshot. This depends on how large your registry is, and how much of it you plan to monitor. For more information about baseline snapshots and monitoring the Windows registry, refer to Get a baseline snapshot.

The pre-installation summary panel is displayed.

9. Click Install to proceed.
The installer runs and displays the Installation Complete panel. You may see a number of warnings in a command prompt dialog box; you can safely ignore these.

10. Check the boxes to run Splunk and Splunk Web now. Click FInish.

Start Splunk

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

• Server daemon: splunkd
• Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing

#  splunk.exe [start|stop|restart]

Note: If you do not select Start Splunk Services at installation, they will be set to manual startup and therefore will not start after a reboot. You must start them from the Windows Service Manager MMC, and optionally configure auto-start if you want them to start automatically at boot time.

Note: If you chose not to index one or more of the Windows event logs by unchecking the box(es) at the end of the installation process, and want to begin indexing later, edit $SPLUNK_HOME/etc/system/local/inputs.conf as described in Configure inputs via inputs.conf.

Important: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

License management

All Splunk servers require a license; Splunk provides two types of licenses, a Free license and an Enterprise license. Splunk ships with a Free license.

The first time you download Splunk, you are asked to register. Your registration authorizes you to receive the Free license, which allows a maximum indexing volume of 500 MB/day. The Free license is not a trial license and does not expire.

The Enterprise license enables higher data indexing volume and the following additional features:

• Multiple user accounts and access controls.
• Distributed search and data routing.
• Deployment management.

To evaluate Enterprise features before purchasing, you can request a 30-day trial Enterprise license.

Important: You cannot use the same Enterprise license on multiple servers. Each instance of Splunk (including forwarders) must have its own unique license, whether a Free license or an Enterprise license. The only exception to this is the 1 MB/day forward-only license that can be installed on multiple forwarding instances. For more information, read About Splunk licenses.

Access your license

All Splunk servers have a license located in $SPLUNK_HOME/etc/, whether it is a Free license (splunk-free.license) or an Enterprise license (splunk.license).

Example of a Splunk license

user@company.com;EQ/GQXW/J7u9VLJShPsW4m8yi+5a+geRrof4Bep70j32xsBpq
JItM5pdntRfl4auply366BAjTMnfTB6JyzJOZLplyBQijk02fQjgKjakl0ol4N5G6Wr
09ufnSe3iOXVAay24hzFfgDkaijOnkoGOPJqnHaVzaWC9dxIuKUvDPt3UcKTkDv0Gka
Q4EZxAvZKAFImvOF4PmDoNaMiBgLLkWibGhezFTTDh10PLl9kyeVThGzAyN23J512pVM
3xqNIg3pFcd2aJf31xspt1HRdSwofkfnuCVpzildy3qMbae4g85KpCfND+aJ6z2LoUu3
RQ4OV4SpxMXEZ4PgSGZ6dwA==

Where is your new license?

When you request a new license, you should receive the license in an email from Splunk. You can also access that new license in your splunk.com My Orders page. To install a new license (or change and update your existing license), replace your existing license with the new license.

You can install and update your licenses from Splunk Web's Admin > License & Usage page or with the CLI.

Note: These instructions are for Splunk 3.0 and later, for earlier versions, see 2.2.3 instructions.

Install via Splunk Web

To install or update your license using Splunk Web:

1. Start Splunk and open Splunk Web in a supported browser.

2. On the upper righthand corner of any of the dashboards, click Admin.

3. Click License & Usage.
The Admin > License & Usage page displays your license level, peak usage and license violations.

4. Click Change License.
The License & Usage: Change License page opens and displays your existing license key or splunk.license file.

5. Copy your new license key and paste (overwrite) the existing license.

6. Click Save.

7. Restart your Splunk server to apply your new license.
Note: You can restart your server from Splunk Web. On the Admin > Server: Control Server page, click Restart Now.

Install via CLI

To install or update your license using the CLI:

1. Create a new file named splunk.license.

2. Copy your new license key and paste it into splunk.license.

3. Move your license file, splunk.license, into the $SPLUNK_HOME/etc/ directory:

mv splunk.license $SPLUNK_HOME/etc/

4. Restart your Splunk server to apply your new license:

$SPLUNK_HOME/bin/splunk restart

First login after applying new trial/Enterprise license

To log in for the first time after applying an Enterprise license (converting from free), use the default username "admin" with the password "changeme". If you later clean (reset) your user data, your username/password is reset to this default.

License violations

Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have more than 7 violations in a rolling 30-day period, search will be disabled. Search capabilities return when you have less than 7 violations in the previous 30 days or when you apply a new license with a larger volume limit.

Note: During a license violation period, Splunk does not stop indexing your data. Splunk only blocks access while you exceed your license.

If you have other issues with your license, refer to the Admin Manual for troubleshooting tips.

Install Splunk Toolbar

Install Splunk Toolbar for Firefox

Splunk Toolbar for Firefox is available from the following locations:

• Splunk.com toolbar download page
• In the following Splunk server directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/

Install from download page

1. On the toolbar download page, click the link for the Firefox toolbar.
You'll see a warning message, stating that Firefox prevented this site from asking you to install software. This is expected behavior.

2. Click Edit Options....

3. In the Allowed Sites dialog, click Allow.

www.splunk.com is listed as a trusted site.

4. Close the dialog box.
Firefox asks you whether you want to install the toolbar.

5. Click Install Now.

If the following dialog box is not displayed, refresh the browser page.

6. Click Restart Firefox to complete installation.
The toolbar is installed and visible below Firefox's address bar, and also in the Firefox Tools > Add-ons menu.

Install from Splunk server

1. In Firefox, click File > Open File....

2. Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/splunktoolbar.xpi .
Firefox asks you whether you want to install the toolbar.

3. Click Install Now.

4. Restart Firefox.
The toolbar is installed and visible below Firefox's address bar, and also in the Firefox Tools > Add-ons menu.

Uninstall Splunk Toolbar

1. Start Firefox.

2. In Firefox, click Tools > Add-ons.
The Splunk Toolbar is one of the items listed.

3. Select it and click Uninstall.

4. Follow the prompts and restart Firefox.

The toolbar is removed from Firefox. You can verify by checking Tools > Add-ons.

Install Splunk Toolbar for Internet Explorer (beta)

Note: This software is currently in beta. If you encounter any problems running the software or have any comments on its functionality, contact our support team.

The Splunk Toolbar is available from the following locations:

• Splunk.com toolbar download page.
• In the following Splunk directory: $SPLUNK_HOME/share/splunk/extras/splunkbar/ .

Install from download page

1. On the toolbar download page, click the link for the Internet Explorer toolbar.
If you are using Internet Explorer, you might see a warning message stating that Internet Explorer blocked this site from downloading files. This is expected behavior.

2. Click on the information bar at the top of the page

3. In the drop-down menu, click Download File....

4. Internet Explorer asks you whether you want to save or open the file. Click Run.

5. On the Security warning window, Click Run

6. You may see a warning that you need to install the .NET Framework. Click Yes to continue the .NET installation.
You can also visit the Microsoft .NET site to complete the installation. If you don't see this message, continue to the next step.

7. After installing the .Net framework return to Step 1 and run the toolbar installer again. You shouldn't see the warning message anymore.

8. The toolbar installation wizard is launched. Follow the instructions of the wizard:

The Splunk toolbar is now visible below Internet Explorer's address bar, and also in the View > Toolbars menu

Install from Internet Explorer

1. From Internet Explorer, select File > Open File....

2. Point the Open File dialog box to: $SPLUNK_HOME/share/splunk/extras/splunkbar/SplunkIEToolbarSetup.msi .

3. Internet Explorer asks you whether you want to download the file. Follow the instructions above to install the toolbar.
The Splunk Toolbar is now visible below Internet Explorer's address bar, and also in the View > Toolbars menu.

Uninstall Internet Explorer toolbar

1. From the Start menu, choose Control Panel > Add or Remove programs.

2. From the list of currently installed programs, select Splunk toolbar for Internet Explorer.

3. Follow the prompts.
The toolbar is removed from Internet Explorer. You can verify by checking Internet Explorer's View > Toolbars menu.

Advanced Installation Topics

Configure Splunk before startup

This topic discusses optional configurations you may want to include in your Splunk work environment.

Note: (If you have administrator or root privileges) To save a lot of typing, add the top level directory of your Splunk installation to your shell path. The $SPLUNK_HOME variable refers to the top level directory. Set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

To start at boot time

Splunk provides a utility that updates your system boot configuration so that Splunk starts when the system boots up. This utility creates a suitable init script (or makes a similar configuration change, depending on your OS).

As root, run:

$SPLUNK_HOME/bin/splunk enable boot-start

If you don't start Splunk as root, you can pass in the -user parameter to specify which user to start Splunk as. For example, if Splunk runs as the user bob, then as root you would run:

$SPLUNK_HOME/bin/splunk enable boot-start -user bob

If you want to stop Splunk from running at system startup time, run:

$SPLUNK_HOME/bin/splunk disable boot-start

More information is available in $SPLUNK_HOME/etc/init.d/README and if you type help boot-start from the command line.

To bind to an IP

In Splunk 2.1 and all later versions, you can force Splunk to bind its interfaces to a specified IP address. To make this a temporary change, set the environment variable SPLUNK_BINDIP=<ipaddress> before starting Splunk.

If you want this to be a permanent change in your working environment, modify $SPLUNK_HOME/etc/splunk-launch.conf to include the SPLUNK_BINDIP attribute and <ipaddress> value. For example, to bind Splunk ports to 127.0.0.1, splunk-launch.conf should read:

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory this configuration
# file was found in
#
# SPLUNK_HOME=/opt/splunk

SPLUNK_BINDIP=127.0.0.1

Note: You can also use splunk-launch.conf to define $SPLUNK_HOME and $SPLUNK_DB.

Run Splunk as non-root user

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to:

• Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed.
• Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input.
• Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).

Note: Splunk will not accept syslog data over port 514 (the default listening port for UDP). This does not mean that Splunk cannot listen on UDP 514; you can add UDP 514 as a data input.

To run Splunk as a non-root user:

1. Create the user and group, splunk.
2. As root and using one of the packages (not a tarball), run the installation.
3. Change the ownership, chown, of the splunk directory and everything under it to the desired user.

For example, if you wanted to run Splunk as the splunk user:

sudo -H -u splunk /opt/splunk/bin/splunk start

• If Splunk is installed in an alternate location, update the path in the command accordingly.
• Your system may not have sudo installed. If this is the case, you can use su.
• If you are installing using a tarball and want Splunk to run as a particular user (such as splunk), you must create that user manually.

Solaris 10 privileges

When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk

Disable update checker

Splunk Web is configured to check for new versions of itself and display a banner. If you are running Splunk on a LAN that is not connected to the rest of the Web, modify web.conf to disable this feature.

Note: The default web.conf is located in $SPLUNK_HOME/etc/system/default/. DO NOT edit this file. Instead, copy web.conf into $SPLUNK_HOME/etc/system/local/; then, edit the copy. For more information about configuration files, refer to this Admin manual topic.

To disable update checker, add the following to $SPLUNK_HOME/etc/system/local/web.conf:

[settings]
updateCheckerBaseURL = 0

Install Splunk for lightweight forwarding

Data distribution covers all configurations in which one Splunk server (the forwarder) is sending data to one or more Splunk servers (the receivers) prior to being indexed. When configuring data distribution, you can set up lightweight forwarding to move optional processing to the indexing server and reduce the workload on the forwarding server.

The following procedure describes how set up lightweight forwarding on your Splunk instance.

Note: (If you have administrator or root privileges) To save a lot of typing, add the top level directory of your Splunk installation to your shell path. The $SPLUNK_HOME variable refers to the top level directory. Set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

1. Install Splunk.
Refer to the Installation Manual for instructions on downloading and installing Splunk.

Note: When configuring a server for ightwieight forwarding, ensure it is on the same, or earlier Splunk version. than the receiver. It does not need to be on the same platform.

2. Update your license.
Each forwarding instance of Splunk must have its own license. You have a couple of options for licenses on forwarding instances. Forwarders can run with the Free license. If you require the additional security that the Enterprise license allows (such as username and password authentication), you can request that your original Enterprise license be split. You can install smaller increments on your forwarder instances while keeping the largest increment for the indexer.

Important: For most distribution setups, we recommend 1 MB/day Enterprise licenses for each forwarder instances. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.

For more information about Splunk licenses, refer to the User Manual topic About licenses. Refer to License Management for instructions on installing and updating your Splunk license.

3. Configure forwarding on your Splunk server.
You can set up forwarding using Splunk Web or the CLI. Refer to the Admin Manual for instructions on enabling forwarding and more information on Forwarding and Receiving.

4. Set your Splunk server to forwarder:

$SPLUNK_HOME/bin/splunk set server-type forwarder

This setting makes the following changes to your Splunk instance:

• Modifies inputs.conf to disable internal logging.
• Eliminates BATCH, EXEC, FIFO, TCP, and UDP input modules from splunkd to reduce memory usage.
• Replaces splunkd.xml with splunkd.xml.forwarder.

5. Disable Splunk Web.
For security reasons, we recommend that you disable Splunk Web on your lightweight forwarder:

$SPLUNK_HOME/bin/splunk disable webserver

6. Restart Splunk.
Setting up lightweight forwarding modifies a configuration file. You must restart Splunk to implement your changes.

$SPLUNK_HOME/bin/splunk restart

Configure SELinux

If you have SELinux active on your system, you must add Splunk to the list of authenticated applications that can run in your SELinux environment.

To configure SELinux to allow Splunk to run, you need to run the
chcon command on the Splunk lib directory. Here is what you type :

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null

You must also disable the check when Splunk starts by adding this line
to $SPLUNK_HOME/etc/splunk-launch.conf.

SPLUNK_IGNORE_SELINUX=1

Uninstall Splunk manually

If you can't use package management commands, these commands will remove the installed components except for any init scripts that have been created.

1. First, find and kill any process with "splunk" in its name.

• For Linux and Solaris: kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
• For FreeBSD and Mac OS: kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

2. rm -rf /opt/splunk (or wherever you installed Splunk)

3. rm -rf /opt/splunkdata (if a datastore or indexes outside the top-level directory exist)

4. userdel splunk

5. groupdel splunk

Upgrade Instructions

Upgrade and migrate to 3.3

You can upgrade and migrate directly to Splunk 3.3 from versions 3.0 and later. If you are currently running a version of Splunk that is older than 3.0, refer to this documentation for options.

When you upgrade to 3.3, your configuration files will be updated and changed to support the new functionality in 3.3. You can run the migration preview utility to see what will be changed before you actually upgrade and migrate. When you do this, a file containing the changes that the script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Important: Before you perform the upgrade:

• Review these migration considerations.
• Back up your files.

1. Execute the $SPLUNK_HOME/bin/splunk stop command.

2. To upgrade and migrate from version 3.0 and later, install the Splunk 3.3 package over your existing Splunk deployment.

If you are using a TAR file, expand it into the same directory as your existing Splunk instance. This overwrites and replaces matching files but does not remove unique files.

If you are using a package manager, such as an RPM:

rpm -U splunk_package_name.rpm

3. Execute the $SPLUNK_HOME/bin/splunk start command.
The following output is displayed:

This appears to be an upgrade of Splunk.

--------------------------------------------------------------------------------

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk\'s installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose \'y\'.
If you want to see what changes will be made before you proceed with the
upgrade, choose \'n\'.

Perform migration and upgrade without previewing configuration changes? [y/n]

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

To accept the license and view the expected changes (answer 'n') before continuing the upgrade:

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

To accept the license and begin the upgrade without viewing the changes (answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Important: After upgrading, Splunk may start reading some files incorrectly as binaries. You can override this behavior in props.conf by adding NO_BINARY_CHECK = true to the source or sourcetype stanza.

Upgrade Splunk on Windows

Important: Before you upgrade:

• Review these migration considerations.
• Back up your files.
• Stop Splunk either using the Windows Start menu option or by executing the $SPLUNK_HOME/bin/splunk stop command.

1. Download the new MSI file from the Splunk download page.

2. Double-click the MSI file.
The Welcome panel is displayed. Follow the onscreen instructions to upgrade Splunk.
For information about each panel, refer to the installation instructions.
When you reach the Install step, you have the option to preview changes that will be made for this upgrade.

3. Preview your upgrade and migration if desired.

When you upgrade, your configuration files are updated and changed to support the new functionality. You can run the migration preview utility to see what will be changed before you actually upgrade and migrate. When you do this, a file containing the changes that the script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

The following text is displayed:

This appears to be an upgrade of Splunk.

--------------------------------------------------------------------------------

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk\'s installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose \'y\'.
If you want to see what changes will be made before you proceed with the
upgrade, choose \'n\'.

Perform migration and upgrade without previewing configuration changes? [y/n]

4. You're given the choice of running the migration preview script to see what changes will be made to your existing configuration files, or proceeding with the migration and upgrade right away.

5. If you choose to view the expected changes (select N), the script provides a list. You can scroll up to review the changes or look at them in $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>. At the end of the list, you will see an error message, which you can ignore.
6. Press Enter to return to step 3 and finish your upgrade by typing Y.

Start Splunk

On Windows, Splunk is installed by default into \Program Files\Splunk

You can start and stop the following Splunk processes via the Windows Services Manager:

• Server daemon: splunkd
• Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing

#  splunk.exe [start|stop|restart]

Note: If you do not select Start Splunk Services now, they will be set to manual startup and therefore will not start after a reboot. You must start them from the Windows Service Manager MMC, and optionally configure auto-start if you want them to start automatically at boot time.

Important: After upgrading, Splunk may start reading some files incorrectly as binaries. You can override this behavior in props.conf by adding NO_BINARY_CHECK = true to the source or sourcetype stanza.

Migration considerations

This topic discusses various issues and considerations you should review before upgrading to Splunk 3.3.
You should also review the Known Issues for additional information before you upgrade.

Bundles/configuration directory structure changed and renamed

Starting with version 3.3, Splunk's custom bundle directory structure and terminology have both changed. Bundles are now referred to as applications, and a new directory structure is in place. The existing directory structure and nomenclature will be supported in 3.3, but a switch to the new structure will be enforced in a future release. For detailed information about the new applications directory structure, refer to the documentation about configuration files.

Splunk provides a script for migrating your existing bundles directories to the new structure. Refer to these instructions for more information

Scripts in /splunk/bin are not saved

If you have configured an alert to call a script, that script resides in $SPLUNK_HOME/bin/scripts. Make a backup of these scripts and reinstate them after the upgrade.

Saved searches and search operators

Be aware of the following regarding saved searches:

• If the search contains fixed scheduling, and actually takes longer to run than the interval allows, the search will not work.
• If your search contains foo=bar and you have an indexed field configured from previous versions as foo::bar, your search will fail if bar isn't anywhere in the raw data of an event. Make saved searches that fail for this reason work by either:
  • adding or changing INDEXED = True or INDEXED_VALUE = False in the stanza for foo in fields.conf.
  • changing your search in the search bar by replacing foo=bar with foo::bar.
• Metadata commands like | admin or | metaevents are not supported, and will generate a warning.
• Some field names for Windows-specific deployments have been changed. Splunk provides a script for migrating your saved searches, refer to these instructions for more information.

Saved searches and prefs.conf references to "query" in context of the "admin" command no longer supported

If you have a saved search containing the admin command which also contains a reference to the query field, you must recreate your search so that it does not use query. The admin command now uses search instead of query.

Affected search examples:

| admin mysavedsearches | rename query AS term stanza as name
| admin mysavedsearches | top query

| admin mysavedsearches | rename stanza as name
| admin mysavedsearches | stats count(name)

Changes to indexes.conf

If you have made changes to the default values in indexes.conf, the configuration will not migrate. Make a backup of your changes and re-add them post-upgrade.

Must upgrade all instances of Splunk in a distributed environment

As mentioned in the Known Issues, you must upgrade all members of your distributed cluster to the same version.

Instances of Splunk deployment server must match clients

As mentioned in the Known Issues, if you are running Splunk's deployment server, you must upgrade the deployment server and all its clients to the same version. Splunk recommends that you upgrade your Splunk deployment server first, before you migrate your other Splunk instances.

If you are unable to migrate all clients at one time, you can set up two deployment servers, one for your new 3.3.x clients, and one for your 3.1.x clients. This way, you can move each client over to communicate with the 3.3.x deployment server as you are able to upgrade it.

Migrate your Windows saved searches to 3.3.x

Some Splunk terminology for Windows-specific field names has changed or been added starting in version 3.3. These changes were made to better reflect commonly-used Windows terminology. As a result, you must migrate any existing saved searches you created in 3.2.x to use the new terminology. Splunk provides a script for you to do this.
The script backs up any saved searches that appear to contain the deprecated terms, and converts them to use the new terminology.

• You have the option of seeing a preview of what the script will change when you run it.
• If you are deploying to multiple servers, perhaps using automation of some kind, you can also skip the 5 second pause Splunk introduces by default to let you read the informational text that is displayed when you run the script by hand.

Run the migration script

To run the migration script without seeing a preview and with the 5 second pause, from $SPLUNK_HOME, run:
./splunk migrate win-searches
Optional parameters:

• To see a preview of the changes Splunk will make, use -dry-run true (the default is false).
• To skip the 5 second pause, use -no-wait true (the default is false).

What has changed

The following field names are new:

• Category
• EventType
• Message

The following field names have changed:

• evtlog_category -> CategoryString
• evtlog_id -> EventCode
• evtlog_severity -> Type
• evtlog_account -> User
• evtlog_domain -> ComputerName
• evtlog_sid -> Sid
• evtlog_sid_type -> SidType

Migrate bundles to new application directory structure

Starting with version 3.3, Splunk's custom bundle directory structure and terminology have both changed. The existing directory structure and nomenclature will be supported in 3.3, but a switch to the new structure will be enforced in a future release. For detailed information about the new applications directory structure, refer to the documentation about configuration files.

Splunk provides a script for migrating your existing bundles directories to the new structure. This script is not run automatically, and can be run on a per-bundle/application basis. You must restart Splunk after you run the script, each time you run it.

Things to consider

• You must restart Splunk for changes to take effect.
• Some custom bundles may not work after migration; in particular, bundles that contain conf files or scripts that refer to hard-coded paths might break, since migration moves files around. Consider using relative paths for flexibility.

Run the migration script

./splunk migrate bundle [-name value]

To migrate a single bundle to the new structure, add -name [name of the bundle]. For example:
./splunk migrate bundle -name local
./splunk migrate bundle -name code
./splunk migrate bundle

Help

Getting Help

The most in-depth documentation for Splunk is within the set of manuals you're currently reviewing. However, you can also get help within Splunk Web and the command line interface.

Accessing help in Splunk Web

Click Help in Splunk Web to launch a set of help pages.

Accessing help in the command line (CLI)

From the command line on your Splunk Server host, type:

$SPLUNK_HOME/bin/splunk help 

How can I learn more about Splunk's advanced features?

The best way to explore advanced features is to take the tutorial

You can also explore the command line interface using its inline help. To get started, type:

$SPLUNK_HOME/bin/splunk help 

I lost my Splunk.com password. What do I do?

Use the recover password feature of the site to have your username and/or password emailed to the address on record.

How do I report problems?

Submit your issue with on our online case submission form or email us at support@splunk.com.

How can I make suggestions?

You can always send an email to our support team at support@splunk.com. Also check out our Live Roadmap where you can vote on upcoming features.

I have some questions that aren't answered here. Where can I get help?

Start with our Documentation.

For help from experienced Splunkers, come to our Wiki and check out what other people have done with their Splunk deployments.

For help -- yes, it's free! -- from the Splunk Support team, submit an online support case (you must be a registered user and log in to use this service). You can also use our IRC support channel. The channel name is #splunk on the EFnet IRC (irc.efnet.org) network.

Splunk customers with an enterprise license have additional premium support options. For full information on our support offerings, click here.

Reference

File Manifest

A complete inventory of the files and permissions that ship with your Splunk installation can be found in the root directory. For reference the manifest for each platform is available here:

• MacOS X / Intel
• MacOS X / PPC
• FreeBSD x86
• FreeBSD x86_64
• Linux / x86
• Linux / x86_64
• Solaris / x86_64
• Solaris / SPARC
• Solaris / x86

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w
nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF
2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7
pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn
OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq
Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/
J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR
5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP
qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh
Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID
FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha
pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm
6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU
HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT
iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg
jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7
SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+
EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd
qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG
3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96
4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK
iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77
kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9
ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng
p4s=
=Mz6T
-----END PGP PUBLIC KEY BLOCK-----

Installing the key

Copy and paste the key into a file. Install the key using:

rpm --import <filename>