Splunk Enterprise 6.0.

2
Installation Manual
Generated: 3/11/2014 2:55 pm
Copyright (c) 2014 Splunk Inc. All Rights Reserved
Table of Contents
Welcome to the Splunk Enterprise Installation Manual...................................1
What's in this manual................................................................................1
Plan your Splunk Enterprise installation...........................................................2
Installation overview..................................................................................2
System requirements.................................................................................3
Components of a Splunk Enterprise deployment....................................10
Estimate your storage requirements.......................................................12
Splunk architecture and processes.........................................................14
Information on Windows third-party binaries distributed with Splunk......17
Step-by-step installation instructions.......................................................19
Secure your Splunk Enterprise installation....................................................20
About securing Splunk............................................................................20
Secure your system before you install Splunk........................................20
Install Splunk securely............................................................................20
More ways to secure Splunk...................................................................21
Estimate hardware requirements.....................................................................23
Hardware capacity planning for your Splunk Enterprise deployment.......23
How incoming data affects Splunk Enterprise performance...................25
How indexed data impacts Splunk Enterprise performance...................26
How the number of concurrent users impacts Splunk Enterprise
performance.............................................................................................26
How saved searches affect Splunk Enterprise performance..................27
How search types impact Splunk Enterprise performance......................27
How Splunk apps affect Splunk Enterprise performance........................29
How Splunk Enterprise calculates disk storage......................................29
Reference hardware................................................................................30
Performance questionnaire.....................................................................33
Summary of performance recommendations..........................................35
Install Splunk Enterprise on Windows.............................................................37
Choose the Windows user Splunk Enterprise should run as...................37
Prepare your Windows network for a Splunk Enterprise installation
as a network or domain user....................................................................41
Install on Windows..................................................................................49
Install on Windows via the command line...............................................54
Correct the user selected during Windows installation............................62
i
Table of Contents
Install Splunk Enterprise on Unix, Linux or Mac OS X...................................64
Install on Linux........................................................................................64
Install on Solaris......................................................................................68
Install on Mac OS X................................................................................71
Install on FreeBSD..................................................................................76
Install on AIX...........................................................................................80
Install on HP-UX......................................................................................82
Run Splunk Enterprise as a different or non-root user............................84
Start using Splunk Enterprise..........................................................................87
Start Splunk for the first time...................................................................87
What happens next?................................................................................90
Learn about Splunk's accessibility..........................................................91
Install a Splunk Enterprise license...................................................................93
About Splunk licenses.............................................................................93
Install a license........................................................................................93
Upgrade or migrate Splunk Enterprise............................................................96
How to upgrade Splunk...........................................................................96
About Upgrading to 6.0 - READ THIS FIRST.........................................98
How Splunk Web procedures have changed from version 5 to
version 6.................................................................................................107
Changes for Splunk App developers.....................................................109
Upgrade to 6.0 on UNIX........................................................................114
Upgrade to 6.0 on Windows..................................................................117
Migrate a Splunk Enterprise instance...................................................119
Migrate to the new Splunk licenser.......................................................123
Uninstall Splunk Enterprise............................................................................126
Uninstall Splunk Enterprise...................................................................126
Reference..........................................................................................................130
PGP Public Key.....................................................................................130
ii
Welcome to the Splunk Enterprise
Installation Manual
What's in this manual
Use the Installation Manual to learn how to install Splunk Enterprise.
In this manual, you can find:
System requirements
Licensing information
Procedures for installing
Procedures for upgrading from a previous version
...and more.
Note: If you want to install the Splunk universal forwarder, read "Universal
forwarder deployment overview" in the Forwarding Data Manual. Unlike Splunk
heavy and light forwarders, which are full Splunk Enterprise instances with
some features changed or disabled, the universal forwarder is an entirely
separate executable, with its own set of installation procedures. For an
introduction to forwarders, see "About forwarding and receiving".
Find what you need
You can use the table of contents to the left of this panel, or simply search for
what you want in the search box in the upper right.
If you're interested in more specific scenarios and best practices, you can visit
the Splunk Community Wiki to see how other users Splunk IT.
Make a PDF
If you'd like a PDF of any version of this manual, click the red Download as PDF
link below the table of contents on the left side of this page. A PDF version of the
manual is generated on the fly for you, and you can save it or print it out to read
later.
1
Plan your Splunk Enterprise installation
Installation overview
This topic discusses the basic steps required to install Splunk Enterprise on a
computer. We strongly suggest that you read this topic and the contents of this
chapter first before performing an installation.
Installation basics
The following list provides general guidance on how to install Splunk:
1. Review the system requirements for installation. Specific additional
requirements might apply based on the operating system you install Splunk on,
and how you plan to use Splunk.
2. Read "Components of a Splunk deployment" to learn about the Splunk
Enterprise ecosystem, and "Splunk architecture and processes" to learn what the
Splunk installer puts on your computer.
3. Review this manual's chapter on securing your Splunk Enterprise instance
and, where appropriate, secure the server(s) on which you plan to install Splunk.
4. Download the correct installation package for your system from the Splunk
Enterprise download page.
5. Perform the installation using the step-by-step installation instructions for your
operating system.
6. If this is the first time you have installed Splunk Enterprise, you might want to
consider reading the Splunk Search Tutorial to learn how to index data into
Splunk and search that data using the Splunk Enterprise search language.
7. After you've installed Splunk Enterprise, you can calculate how much space
you need to index your data. Read "Estimate your storage requirements" for
additional information.
8. If you plan to run Splunk in a production environment, review "Hardware
capacity planning for your Splunk Enterprise deployment" in this manual for
insight into the amount of hardware a Splunk deployment requires.
2
Upgrading or migrating a Splunk instance?
If you're upgrading from an earlier version of Splunk Enterprise, read "How to
upgrade Splunk Enterprise" in this manual for information and specific
instructions. For tips on migrating from one specific version to another, read the
"READ THIS FIRST" topic for the version you want to upgrade to. This topic is in
the "Upgrade or Migrate Splunk Enterprise" chapter.
If you want to know how to migrate a Splunk Enterprise instance from one
system to another, read "Migrate a Splunk instance" in this manual.
System requirements
Before you download and install the Splunk software, read this topic to learn
which computing environments Splunk supports.
Refer to the download page for the latest version to download. Check the release
notes for details on known and resolved issues.
For a discussion of hardware planning for deployment, review "Hardware
capacity planning for your Splunk deployment" in this manual.
If you have ideas or requests for new features to add to future releases, get in
touch with Splunk Support. You can also review our product road map.
Supported OSes
Important: Read the following tables carefully when researching the system
requirements. Splunk availability has changed significantly from previous
versions.
The tables below list the computing platforms that Splunk is available for.
To find out whether or not Splunk is available for your platform:
1. Find the operating system you wish to install Splunk on in the left column.
2. Then, read across to find the appropriate computing architecture in the center
column that best matches your environment.
3
The tables show availability for two different types of Splunk, as shown in the two
columns on the right: Splunk Enterprise/Trial, and Splunk Universal
Forwarder. An 'x' in the box that intersects your computing platform and desired
Splunk type means that Splunk is available for that platform. An empty box
means that Splunk is not available for that platform.
Some boxes have characters in addition to - or instead of - an 'x'. Refer to the
bottom of the tables to find out what the additional characters represent.
Unix operating systems
Operating
system
Architecture Enterprise / Trial Universal Forwarder
Solaris 8* and 9
x86 (64-bit) x
SPARC x
x86 (32-bit) x*
Solaris 10 and
11*
x86 (64-bit) x* x*
SPARC x x
x86 (32-bit) x* x*
Linux, 2.4+ with
Native POSIX
Thread Library
x86 (64-bit)
x86 (32-bit) x
Linux, 2.6+
x86 (64-bit) x x
x86 (32-bit) x x
Linux, 3.0+
x86 (64-bit) x x
x86 (32-bit) x x
PowerLinux,
2.6+
PowerPC x
FreeBSD 7**, 8,
and 9
x86 (64-bit) x x
x86 (32-bit) x x
Mac OS X 10.7,
10.8, and 10.9
Intel x x
AIX 5.3 PowerPC x
AIX 6.1 and 7.1 PowerPC x x
Itanium x x
4
HP/UX? 11i v2
and 11i v3
PA-RISC x
* Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does not
support 32-bit Splunk installs.
** Be sure to read important notes on FreeBSD 7 below.
? You must use gnu tar to unpack the HP/UX installation archive.
Windows operating systems
The table below lists the Windows computing platforms that Splunk is available
for.
Operating
system
Architecture Enterprise / Trial Universal Forwarder
Windows Server
2003 and Server
2003 R2
x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows Server
2008 and Server
2008 R2
x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows Server
2012
x86 (64-bit) x x
Windows XP
x86 (64-bit) x
x86 (32-bit) x***
Windows Vista
x86 (64-bit) x
x86 (32-bit) x***
Windows 7
x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows 8
x86 (64-bit) x x
x86 (32-bit) x x
*** This version of Splunk is supported but is not recommended on this platform
and architecture.
Splunk Enterprise is not available on this platform. However, Splunk Trial and
Splunk Universal Forwarder are available.
5
Operating system notes and additional information
Windows
Certain parts of Splunk on Windows require elevated user permissions to
function properly. For additional information about what is required, read the
following topics:
"Splunk architecture and processes" in this manual.
"Choose the user Splunk should run as" in this manual.
"Considerations for deciding how to monitor remote Windows data" in the
Getting Data In Manual.

FreeBSD 7.x
To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk
Support will supply "best effort" support for users running on FreeBSD 7.x. For
more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.
Deprecated operating systems and features
As we continue to version the Splunk product, we gradually deprecate support of
older operating systems. Be sure to read "Deprecated features" in the Release
Notes for information on which platforms and features have been deprecated or
removed entirely.
Creating and editing configuration files on non-UTF-8 OSes
Splunk expects configuration files to be in ASCII or Universal Character Set
Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration
file on an OS that does not use UTF-8 character set encoding, then you must
ensure that the editor you are using is configured to save in ASCII/UTF-8.
IPv6 platform support
All Splunk-supported OS platforms are supported for use with IPv6 configurations
except for the following:
AIX
HP/UX on PA-RISC architecture
Solaris 9
6
Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk
IPv6 support.
Supported browsers
Splunk supports the following browsers:
Firefox 10.x and latest
Internet Explorer 7, 8, 9, and 10
Safari (latest)
Chrome (latest)
You should also make sure you have the latest version of Adobe Flash installed
to render any charts that use options not supported by the JSChart module. For
more information about this subject, see "About JSChart" in the Splunk Data
Visualizations Manual.
Recommended hardware
Splunk is a high-performance application. If you are performing a comprehensive
evaluation of Splunk for production deployment, we recommend that you use
hardware typical of your production environment. This hardware should meet or
exceed the recommended hardware capacity specifications below.
For a discussion of hardware planning for production deployment, see
"Hardware capacity planning for your Splunk deployment" in this manual.
Splunk and virtual machines
If you run Splunk in a virtual machine (VM) on any platform, performance does
degrade. This is because virtualization works by abstracting the hardware on a
system into resource pools from which VMs defined on the system draw as
needed. Splunk needs sustained access to a number of resources, particularly
disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs
can cause reduced indexing performance.
Recommended and minimum hardware capacity
Platform
Recommended hardware
capacity/configuration
Minimum
supported
hardware
capacity
7
Non-Windows
platforms
2x six-core, 2+ GHz CPU, 12 GB RAM,
Redundant Array of Independent Disks
(RAID) 0 or 1+0, with a 64 bit OS installed.
1x1.4 GHz CPU,
1 GB RAM
Windows
platforms
2x six-core, 2+ GHz CPU, 12 GB RAM,
RAID 0 or 1+0, with a 64 bit OS installed.
Pentium 4 or
equivalent at 2
GHz, 2 GB RAM
Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a
RAID 0 configuration meets your data reliability needs before deploying a Splunk
indexer on a system configured with RAID 0.
All configurations other than universal and light forwarder instances
require at least the recommended hardware configuration.

The minimum supported hardware guidelines are designed for personal
use of Splunk. The requirements for Splunk in a production environment
are significantly higher.

Important: For all installations, including forwarders, you must have a minimum
of 5 GB of hard disk space available in addition to the space required for any
indexes. Refer to "Estimate your storage requirements" in this manual for
additional information.
Hardware requirements for universal and light forwarders
Recommended Dual-core 1.5 GHz+ processor, 1 GB+ RAM
Minimum 1.0 Ghz processor, 512 MB RAM
Supported file systems
Platform File systems
Linux ext2/3/4, reiser3, XFS, NFS 3/4
Solaris UFS, ZFS, VXFS, NFS 3/4
FreeBSD FFS, UFS, NFS 3/4, ZFS
Mac OS X HFS, NFS 3/4
AIX JFS, JFS2, NFS 3/4
HP-UX VXFS, NFS 3/4
Windows NTFS, FAT32
Note: If you run Splunk on a filesystem that is not listed above, Splunk might run
a startup utility named locktest to test the viability of a filesystem for running
Splunk. Locktest is a program that tests the start up process. If locktest runs
8
and fails, then the filesystem is not suitable for running Splunk.
Considerations regarding file descriptor limits (FDs) on *nix systems
Splunk allocates file descriptors on *nix systems for actively monitored files,
forwarder connections, deployment clients, users running searches, and so on.
Usually, the default file descriptor limit (controlled by the ulimit command on a
*nix-based OS) is 1024. Your Splunk administrator should determine the correct
level, but it should be at least 8192. Even if Splunk allocates just a single file
descriptor for each of the activities above, it?s easy to see how a few hundred
files being monitored, a few hundred forwarders sending data, a handful of very
active users on top of reading/writing to/from the datastore can easily exhaust the
default setting.
The more tasks your Splunk instance is doing, the more FDs it will need, so you
should increase the ulimit value if you start to see your instance run into
problems with low FD limits.
For more information, read about ulimit in the Troubleshooting Manual.
This consideration is not applicable to Windows-based systems.
Considerations regarding Network File System (NFS)
When choosing to use Network File System (NFS) as a storage medium for
Splunk indexing, it is important to consider all of the ramifications of file level
storage.
Splunk strongly recommends that you use block level storage rather than file
level storage for indexing your data.
In environments with reliable, very high-bandwidth low-latency links, or with
vendors that provide high-availability, clustered network storage, NFS can be an
appropriate choice. However, customers who plan to choose this strategy should
work closely with their hardware vendor to confirm that the storage platform they
choose performs to the desired specification in terms of both performance and
data integrity.
If you choose to use NFS, note the following caveats:
Splunk does not support "soft" NFS mounts (mounts which cause a
program attempting a file operation on the mount to report an error and

9
continue in case of a failure).
Only "hard" NFS mounts - mounts where the client continues to attempt to
contact the server in case of a failure) are reliable with Splunk.

Do not disable attribute caching. If you have other applications which
require disabling or reducing attribute caching, then you must provide
Splunk a separate mount with attribute caching enabled.

Do not use NFS mounts over a wide area network (WAN). Doing so
causes performance issues and can potentially lead to data loss.

Considerations regarding solid state drives
Solid state drives (SSDs) deliver significant performance gains over conventional
hard drives for Splunk in "rare" searches - searches that request small sets of
results over large swaths of data - when used in combination with bloom filters.
They also deliver performance gains with concurrent searches overall.
Supported server hardware architectures
32 and 64-bit architectures are supported for some platforms. See the download
page for details.
Components of a Splunk Enterprise deployment
By using a single software component and easy to understand configurations,
Splunk Enterprise can coexist with existing infrastructure or be deployed as a
universal platform for accessing IT data.
The simplest deployment is the one you get by default when you install Splunk:
indexing and searching on the same server. You log into Splunk Web or the CLI
on the server and configure data inputs to collect machine data. You then use the
same server to search, monitor, alert, and report on the incoming data.
Depending on your needs, you can also deploy components of Splunk on
different servers to address your load and availability requirements. This section
introduces the types of components. For a more thorough introduction, see the
Distributed Deployment manual, particularly the topic, "Scale your deployment:
Splunk components".
10
Indexer
Splunk indexers provide indexing capability for local and remote data and host
the primary Splunk datastore. Refer to "How indexing works" in the Managing
Indexers and Clusters manual for more information.
Search head
A search head is a Splunk instance configured to distribute searches to indexers
(referred to as "search peers" in this context). Search heads can be either
dedicated or not, depending on whether they also perform indexing. Dedicated
search heads don't have any indexes of their own (other than the usual internal
indexes). Instead, they consolidate and display results that originate from remote
search peers.
See "What is distributed search" in the Distributed Search Manual to configure a
search head to search across a pool of indexers.
Forwarder
Forwarders are Splunk instances that forward data to remote indexers for
indexing and storage. In most cases, they do not index data themselves. Refer to
the "About forwarding and receiving" topic in the Forwarding Data manual.
Deployment server
A Splunk instance can also serve as a deployment server. The deployment
server is a tool for distributing configurations, apps, and content updates to
groups of Splunk Enterprise instances. You can use it to distribute updates to
most types of Splunk Enterprise components: forwarders, non-clustered
indexers, and search heads. Refer to "About deployment server and forwarder
management" in the Updating Splunk Enterprise Instances manual for additional
information.
Functions at a glance
Functions Indexer Search head Forwarder
Deployment
server
Indexing x
Web x
11
Direct search x
Forward to indexer x
Deploy
configurations
x x x
Index replication and clusters
A cluster is a group of indexers configured to replicate each others' data, so that
the system keeps multiple copies of all data. This process is known as index
replication. By maintaining multiple, identical copies of data, clusters prevent
data loss while promoting data availability for searching.
Splunk Enterprise clusters feature automatic failover from one indexer to the
next. This means that, if one or more indexers fail, incoming data continues to
get indexed and indexed data continues to be searchable.
Besides enhancing data availability, clusters have other key features that you
should consider when you're scaling a deployment. For example, they include a
capability to coordinate configuration updates easily across all indexers in the
cluster. They also include a built-in distributed search capability. For more
information on clusters, see "About clusters and index replication" in the
Managing Indexers and Clusters manual.
Estimate your storage requirements
This topic describes how to estimate the size of your Splunk Enterprise index, so
that you can plan your storage capacity requirements.
When Splunk Enterprise indexes your data, it creates two main types of files: the
"rawdata" file that contains the original data in compressed form and the index
files that point to this data. (It also creates a few metadata files, which don't
consume much space.) With a little experimentation, you can estimate how much
index disk space you will need for a given amount of incoming data.
Typically, the compressed rawdata file is 10% the size of the incoming,
pre-indexed raw data. The associated index files range in size from
approximately 10% to 110% of the rawdata file. The number of unique terms in
the data affect this value.
Depending on the data's characteristics, you might want to tune your
segmentation settings, as described in "About segmentation" in the Getting Data
12
In Manual.
The best way to get an idea of your space needs is to experiment by indexing a
representative sample of your data, and then checking the sizes of the resulting
directories in defaultdb.
On *nix systems, follow these steps
Once you've indexed your data sample:
1. Go to $SPLUNK_HOME/var/lib/splunk/defaultdb/db.
2. Run du -ch hot_v* and look at the last total line to see the size of the index.
On Windows systems, follow these steps
1. Download the du utility from Microsoft TechNet.
2. Extract du.exe from the downloaded ZIP file and place it into your
%SYSTEMROOT% or %WINDIR% folder.
Note: You can also place it anywhere in your %PATH%.
3. Open a command prompt.
4. Once there, go to %SPLUNK_HOME%\var\lib\splunk\defaultdb\db.
5. Run del %TEMP%\du.txt & for /d %i in (hot_v*) do du -q -u %i\rawdata
| findstr /b "Size:" >> %TEMP%\du.txt.
6. Open the %TEMP%\du.txt file. You will see Size: n, which is the size of each
rawdata directory found.
7. Add these numbers together to find out how large the compressed persisted
raw data is.
8. Next, run for /d %i in (hot_v*) do dir /s %i, the summary of which is the
size of the index.
9. Add this number to the total persistent raw data number.
This is the total size of the index and associated data for the sample you have
indexed. You can now use this to extrapolate the size requirements of your
13
Splunk index and rawdata directories over time.
Answers
Have questions? Visit Splunk Answers to see what questions and answers other
Splunk users had about data sizing.
Splunk architecture and processes
This topic discusses Splunk's internal architecture and processes at a high level.
If you're looking for information about third-party components used in Splunk,
refer to the credits section in the Release notes.
Processes
A Splunk server runs two processes (installed as services on Windows systems)
on your host, splunkd and splunkweb:
splunkd is a distributed C/C++ server that accesses, processes and
indexes streaming IT data. It also handles search requests. splunkd
processes and indexes your data by streaming it through a series of
pipelines, each made up of a series of processors.
Pipelines are single threads inside the splunkd process, each
configured with a single snippet of XML.

Processors are individual, reusable C or C++ functions that act on
the stream of IT data passing through a pipeline. Pipelines can
pass data to one another via queues. splunkd supports a
command line interface for searching and viewing results.


splunkweb is a Python-based application server based on CherryPy that
provides the Splunk Web user interface. It allows users to search and
navigate data stored by Splunk servers and to manage your Splunk
deployment through a Web interface.

splunkweb and splunkd can both communicate with your Web browser via
REpresentational State Transfer (REST):
splunkd also runs a Web server on port 8089 with SSL/HTTPS turned on
by default.

splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.
14
On Windows systems, splunkweb.exe is a third-party, open-source executable
that Splunk renames from pythonservice.exe. Since it is a renamed file, it does
not contain the same file version information as other Splunk for Windows
binaries.
Read information on other Windows third-party binaries distributed with Splunk.
Splunk and Windows in Safe Mode
Neither the splunkd, the splunkweb, nor the SplunkForwarder services starts if
Windows is in Safe Mode. Additionally, if you attempt to start Splunk from the
Start Menu while in Safe Mode, Splunk does not alert you to the fact that its
services are not running.
Additional processes for Splunk on Windows
On Windows instances of Splunk, in addition to the two services described
above, there are additional processes that Splunk uses when you create specific
data inputs on a Splunk instance. These scripted inputs run when configured by
certain types of Windows-specific data input.
splunk.exe
splunk.exe is the control application for the Windows version of Splunk. It
provides the command line interface (CLI) for the program, and allows you to
start, stop, and configure Splunk, similar to the *nix splunk program.
Important: splunk.exe requires an elevated context to run because of how it
controls the splunkd and splunkweb processes. Splunk might not function
correctly if this executable is not given the appropriate permissions on your
Windows system. This is not an issue if you install Splunk as the Local System
user.
splunk-admon
splunk-admon.exe is spawned by splunkd whenever you configure an Active
Directory (AD) monitoring input. splunk-admon's purpose is to attach to the
nearest available AD domain controller and gather change events generated by
AD. Splunk then stores these events in the desired index.
15
splunk-perfmon
splunk-perfmon.exe runs when you configure Splunk to monitor performance
data on the local machine. This service attaches to the Performance Data Helper
libraries, which query the performance libraries on the system and extract
performance metrics both instantaneously and over time.
splunk-netmon
splunk-netmon (new for version 6.0) runs when you configure Splunk to monitor
Windows network information on the local machine.
splunk-regmon
splunk-regmon.exe runs when you configure a Registry monitoring input in
Splunk. This scripted input initially writes a baseline for the Registry as it
currently exists (if desired), then monitors changes to the Registry over time.
Those changes come back into Splunk as searchable events.
splunk-winevtlog
You can use this utility to test defined event log collections, and it outputs events
as they are collected for investigation. Splunk has a Windows event log input
processor built into the engine.
splunk-winhostmon
splunk-winhostmon (new for version 6.0) runs when you configure a Windows
host monitoring input in Splunk. This scripted input gets detailed information
about Windows hosts.
splunk-winprintmon
splunk-winprintmon (new for version 6.0) runs when you configure a Windows
print monitoring input in Splunk. This scripted input gets detailed information
about Windows printers and print jobs on the local system.
splunk-wmi
When you configure a performance monitoring, event log or other input against a
remote computer, this program starts up. Depending on how you configure the
input, either it attempts to attach to and read Windows event logs as they come
over the wire, or it executes a Windows Query Language (WQL) query against
16
the Windows Management Instrumentation (WMI) provider on the specified
remote machine(s). Splunk then stores the events.
Architecture diagram
Information on Windows third-party binaries
distributed with Splunk
This topic provides additional information on the third-party Windows binaries
that the Splunk Enterprise and the Splunk universal forwarder packages include.
For more information about Splunk's universal forwarder, read "Deploy the
universal forwarder" in the Forwarding Data Manual.
Third-party Windows binaries included with Splunk Enterprise
The following third-party Windows binaries ship with Splunk Enterprise. Except
where indicated, only the Splunk Enterprise product includes these binaries.
These binaries provide functionality to Splunk as shown in their individual
descriptions. None of them contains file version information or authenticode
signatures (certificates which prove the binary file's authenticity). Additionally,
Splunk does not provide support for debug symbols related to third-party
modules.
Note: Only the third party binaries, apps and scripts that ship with Splunk have
been tested for Certified for Windows Server 2008 R2 (CFW2008R2) Windows
Logo compliance. Any other binaries, apps, or scripts - such as those you
download from the Internet in the course of extending Splunk's capabilities - have
not been tested for this compliance.
17
Archive.dll
Libarchive.dll is a multi-format archive and compression library.
Both Splunk Enterprise and the Splunk universal forwarder include this binary.
Bzip2.exe
Bzip2 is a freely available, patent-free (see below), high-quality data compressor.
It typically compresses files to within 10% to 15% of the best available
techniques (the PPM family of statistical compressors), whilst being around twice
as fast at compression and six times faster at decompression.
Jsmin.exe
Jsmin.exe is an executable that removes whitespace and comments from
JavaScript files, reducing their size.
Libexslt.dll
Libexslt.dll is the Extensions to Extensible Stylesheet Language Transformation
(EXSLT) dynamic link C library developed for libxslt (a part of the GNOME
project).
Both Splunk Enterprise and the Splunk universal forwarder include this binary.
Libxml2.dll
Libxml2.dll is the Extensible Markup Language (XML) C parser and toolkit
developed for the GNOME project (but usable outside of the GNOME platform),
Both Splunk Enterprise and the Splunk universal forwarder include this binary.
Libxslt.dll
Libxslt.dll is the XML Stylesheet Language for Transformations (XSLT) dynamic
link C library developed for the GNOME project. XSLT itself is an XML language
to define transformation for XML. Libxslt is based on libxml2 the XML C library
developed for the GNOME project. It also implements most of the EXSLT set of
processor-portable extensions functions and some of Saxon's evaluate and
expressions extensions.
Both Splunk Enterprise and the Splunk universal forwarder include this binary.
18
Minigzip.exe
Minigzip.exe is the minimal implementation of the ?gzip? compression tool.
Openssl.exe
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography library.
Both Splunk Enterprise and the Splunk universal forwarder include this binary.
Python.exe
Python.exe is the Python programming language binary for Windows.
Pythoncom.dll
Pythoncom.dll is a module that encapsulates the Object Linking and Embedding
(OLE) automation API for Python.
Pywintypes27.dll
Pywintypes27.dll is a module that encapsulates Windows types for Python
version 2.7.
Step-by-step installation instructions
Now that you've learned what Splunk Enterprise is and what is needed to install
it, you can get detailed installation procedures for your operating system:
Windows
Windows (from the command line)
Linux
Solaris
Mac OS X
FreeBSD
AIX
HP-UX
19
Secure your Splunk Enterprise installation
About securing Splunk
As soon as you set up and begin using your new Splunk installation or upgrade,
you should perform a few additional steps to ensure that Splunk and your data
are secure. Taking the proper steps to secure Splunk reduces its attack surface
and mitigates the risk and impact of most vulnerabilities.
This chapter highlights some of the ways you can secure Splunk before, during,
and after installation. The Securing Splunk manual provides more detailed
information about the many ways you can or should secure Splunk.
Secure your system before you install Splunk
Before you even install Splunk, take a few steps to be sure that your operating
system is secure. Splunk strongly recommends hardening all Splunk server
operating systems.
If your organization does not have internal hardening standards, Splunk
recommends the CIS hardening benchmarks.

As a minimum, limit shell/command line access to your Splunk servers.
Secure physical access to all Splunk servers.
Ensure that Splunk end users practice sound physical and endpoint
security.

Install Splunk securely
Take the following steps when downloading and installing Splunk
Configure redundant Splunk instances, both indexing a copy of the same
data.

Verify your Splunk download using a hash function such as MD5 to
compare the hashes. For example:

./openssl dgst md5 <filename-splunk-downloaded.zip>
20
More ways to secure Splunk
Once you have Splunk installed, you can take more steps to secure your
configuration.
Configure user authentication and role-based access control
Set up users and use roles to control access. Splunk allows you to configure
users in three ways:
Splunk's own built-in system, described in "Set up user authentication with
Splunk's built-in system."

LDAP, described in "Set up user authentication with LDAP."
A scripted authentication API for use with an external authentication
system, such as PAM or RADIUS, described in "Set up user
authentication with external systems."

Once you've configured users you can assign roles that determine and control
capabilities and access levels. For more information about roles and capabilities,
read "About role-based user access."
Use SSL certificates to configure encryption and
authentication
Splunk comes with a set of default certificates and keys that, when enabled,
provide encryption and data compression. You can also use your own certificates
and keys to secure communications between your browser and Splunk Web as
well as data sent from forwarders to a receiver, such as an indexer.
For more information about securing Splunk communications with SSL, see
"About securing Splunk with SSL" in this manual.
Audit Splunk
Splunk includes audit features to allow you to track the reliability of your data. We
recommend that you explore some of the following ways you can audit Splunk.
Monitor Files and Directories
Audit Splunk activity
Cyrptographically sign audit events
21
Configure IT data block signing
About archive signing
Configure event hashing
Harden your Splunk installation
We also recommend you take the following steps to harden your Splunk
installation:
Deploy secure passwords across multiple servers
Use Splunk's Access Control Lists
Secure your service accounts
Disable unnecessary Splunk components
Secure Splunk on your network
22
Estimate hardware requirements
Hardware capacity planning for your Splunk
Enterprise deployment
Splunk Enterprise is a flexible product that meets almost any scale and
redundancy requirement in the course of its operation. Taking advantage of that
flexibility requires careful planning. This chapter discusses high level hardware
guidance for Splunk deployments and describes how Splunk uses hardware
resources in various situations.
Before deciding on your hardware outlay for Splunk:
1. Be sure to review "Components of a Splunk Enterprise deployment" in this
manual for a description of all of the elements of a Splunk installation.
2. Next, learn about the type of hardware that comprises a "single indexer" by
reading "Reference hardware."
3. Finally, read the remaining topics in this chapter to learn how Splunk
operations impact performance and how to maximize that performance.
Dimensions of a Splunk Enterprise deployment
In some cases, a single indexer can handle the load of both searching and
indexing.
There are scenarios where you must consider adding infrastructure to your
Splunk Enterprise deployment for maximum efficiency and performance. Below is
a list of things that significantly impact performance:
1. The amount of incoming data. The more data you send to Splunk, the more
time Splunk needs to index it into results that you can search, report and
generate alerts on.
2. The amount of indexed data. As the amount of data stored in an index goes
up, the server that indexes that data requires additional bandwidth both to store
the data and provide results for searches.
23
3. The number of concurrent users. If more than one person at a time uses an
instance of Splunk, that instance requires more resources for those users to do
searches and create reports and dashboards.
4. The number of saved searches. If you plan on running a lot of saved
searches, Splunk needs capacity to perform those searches promptly and
efficiently. The more saved searches you run in a given period of time, the more
resources are required.
5. The types of search you employ. Almost as important as the number of
saved searches is the types of search that you run against a Splunk system.
There are several different types of search, each of which affects how the
indexer responds to search requests.
6. Whether or not you run Splunk apps. Splunk apps and solutions can have
unique performance, deployment, and configuration considerations. If you plan
on running apps, make sure you consider the resource requirements of the
app(s) you are using. Refer to the installation and deployment section of your
app or solution's documentation for additional information. Additionally, read
"Hardware capacity planning for a distributed Splunk deployment" to learn how to
properly size your environment for an app's increased resource requirements.
How do these dimensions impact overall performance?
Follow the links above to determine how each of the dimensions impacts
performance on a reference indexer.
While these factors impact the basic sizing requirements of your Splunk
deployment on the whole, it's important to understand that addressing each of
them individually does not guarantee peak efficiency for your Splunk deployment.
You must discover how these factors correlate with one another in your specific
application in order to realize maximum performance.
For example, if your Splunk Enterprise deployment calls for a low amount of
indexing but has a high number of concurrent users, it has significantly different
resource needs than a setup with a low number of concurrent users and a high
amount of daily indexing volume. Additionally, as both user count and amount of
indexed data rise, you must distribute the environment across multiple servers to
maintain a similar performance level. Search types complicate matters further, as
some are bound by available CPU resources, and others are bound by the speed
of the disk subsystem.
24
When should I scale my Splunk Enterprise deployment?
To best answer this question you must understand how the above Splunk
deployment dimensions apply to your specific use case. Ask yourself these
questions, then refer to the performance questionnaire later in this chapter to
help ascertain when you should add more hardware resources:
How much data do you expect to index daily?
How much data do you need to retain?
How many users do you expect to search through the data at any one
time?

Do you plan to use certain specific searches more than once?
Do you want or need to use a Splunk app to present or manipulate your
data?

The key to a well-performing installation is to develop a plan early in the
deployment cycle to account for both your initial outlay of hardware resources, as
well as the addition of resources when the deployment scales up.
You can read about capacity planning for a distributed deployment at "Hardware
capacity planning for a distributed Splunk deployment" in the Distributed
Deployment manual.
How incoming data affects Splunk Enterprise
performance
This topic discusses how incoming data impacts indexing performance in Splunk
Enterprise.
A reference Splunk indexer can index a significant amount of data in a short
period of time - up to 5.8 MB of data per second - or 500 GB per day. This is if
the server is doing nothing else but consuming data.
Performance changes depending on the size and amount of incoming data.
Larger events slow down indexing performance. As events increase in size, the
indexer uses more system memory to process and index them.
If you need more indexing capacity than a single indexer can provide, you must
add indexers into the deployment to account for the increased demand.
25
How indexed data impacts Splunk Enterprise
performance
This topic discusses how data that has already been consumed by Splunk
Enterprise affects performance.
Once Splunk Enterprise consumes data and places it into indexes, those indexes
grow, taking up disk space. As the indexes grow and available disk space
decreases, Splunk takes more time to index incoming data because the indexer's
disk subsystem takes more time to find space to store the data.
This impacts search as well. On a single indexer, disk throughput splits between
indexing (which is ongoing) and search requests (which are interrupts based on
requests scheduled by users.) As indexes grow, search slows down because not
only does the disk subsystem need to account for search requests, it also needs
to handle increasingly longer requests to store incoming data. Depending on the
type of search, those kinds of requests can be very I/O-intensive.
How the number of concurrent users impacts
Splunk Enterprise performance
This topic discusses how the number of concurrent users impacts Splunk
Enterprise performance on a single indexer.
A reference indexer needs to dedicate one of its available CPU cores for every
user that logs into the system. This CPU core only handles the actual session
itself. When a user starts searching, each search request takes up an additional
CPU core, for as long as the search is active.
These figures assume that CPUs are idle when they receive a login or search
request. This does not account for other system requests, or CPU cores used by
Splunk to index data. If they're processing any other system requests, then the
load splits across other available CPUs.
As CPU cores get used up, all activities on an indexer slow down as the
computer splits processing time between indexing, search, and handling on-line
users. At that point, only additional indexers can increase capacity for all three
functions of Splunk operation.
26
How saved searches affect Splunk Enterprise
performance
This topic discusses how the number of saved searches - searches that you
save to use again at a later time - affect performance in Splunk Enterprise.
On a reference indexer, a saved search consumes about 1 CPU core and a
specified amount of memory while it executes. It also increases the amount of
disk I/O temporarily as the disk subsystem looks through the indexes to fetch the
desired data.
Each additional saved search that executes at the same time consumes an
additional CPU core. This consumption is separate from CPU usage from the
operating system and Splunk indexing and storage processes.
If more saved searches execute than can be accepted for processing, they will
queue. Splunk also warns you when the system reaches the maximum number
of saved searches. When searches queue, search results return more slowly.
Adding indexers and search heads provides additional CPU cores to run more
concurrent searches. Adding RAM to your existing machines helps with
concurrent searches but does not give you additional search capacity.
How search types impact Splunk Enterprise
performance
This topic discusses how the different types of search impact overall
performance on a single reference indexer.
There are four basic types of search that you can invoke against data stored in a
Splunk index. Each of these search types impacts the Splunk indexer in a
different way. The search types are:
Dense. A dense search is a search that returns a large percentage (10% or
more) of matching results for a given set of data in a given period of time. A
reference server should be able to fetch up to 50,000 matching events per
second for a dense search. Dense searches usually tax a server's CPU first,
because of the overhead required to decompress the raw data stored in a Splunk
index.
27
Sparse. Sparse searches return smaller numbers of results for a given set of
data in a given period of time (anywhere from .01 to 1%) than dense searches
do. A reference indexer should be able to fetch up to 5,000 matching events per
second when executing a sparse search.
Super-sparse. A super-sparse search is a "needle in the haystack" search that
retrieves only a very small number of results across the same set of data within
the same time period as the other searches. A super-sparse search is very I/O
intensive because the indexer must look through all of the buckets of an index to
find the desired results. This can take up to two seconds per searched bucket. If
you have a large amount of data stored on your indexer, there are a lot of
buckets, and a super-sparse search can take a very long time to complete.
Rare. Rare searches are like super-sparse searches in that they match just a
handful of results across a number of index buckets. The major difference with
rare searches is that bloom filters - data structures that test whether or not an
element is a member of a set - significantly reduce the number of buckets that
need to be searched by eliminating those buckets which do not contain events
that match the search request. This allows a rare search to complete anywhere
from 20 to 100 times faster than a super-sparse search, for the same amount of
data searched.
Summary
The following table summarizes the different search types. Note that for dense
and sparse searches, Splunk measures performance based on number of
matching events, while with super-sparse and rare searches, performance is
measured based on total indexed volume.
Search type Description Ref. indexer
throughput
Performance
impact
Dense
Dense searches return a large
percentage of results for a
given set of data in a given
period of time.
Up to 50,000
matching
events per
second
Generally
CPU-bound
Sparse
Sparse searches return a
smaller amount of results for a
given set of data in a given
period of time than dense
searches do.
Up to 5,000
matching
events per
second
Generally
CPU-bound
Super-sparse
28
Super-sparse searches return a
very small number of results
from each index bucket which
match the search. Depending
on how large the set of data is,
these types of search can take
a long period of time.
Up to 2
seconds per
index bucket
Primarily I/O
bound
Rare
Rare searches are similar to
super-sparse searches, but are
assisted by bloom filters which
help eliminate index buckets
that do not match the search
request. Rare searches return
results anywhere from 20 to
100 times faster than a
super-sparse search does.
From 10 to 50
index buckets
per second
Primarily I/O
bound
How Splunk apps affect Splunk Enterprise
performance
This topic discusses how Splunk apps impact overall Splunk Enterprise
performance on a single reference indexer.
While many apps can run on a single indexer - Splunk actually runs several
included with the product - the more things an app does, the more likely you must
distribute it across multiple machines.
Many apps require a distributed Splunk Enterprise deployment by design.
Whether it's a case of universal forwarders fetching data and sending it to a
single central instance, or many indexers and search heads connected together
and serving up reports, dashboards, or alerts, Splunk apps often need more than
one server to realize both maximum performance and potential in the enterprise.
How Splunk Enterprise calculates disk storage
This topic discusses how Splunk Enterprise calculates disk storage.
At a high level, Splunk calculates total disk storage as follows:
( Daily average indexing rate ) x ( retention policy ) x 1/2
29
If you want to base your calculation on the specific type(s) of data that Splunk will
index, you can use the method described in "Estimate your storage
requirements" in this manual.
Splunk Enterprise stores raw data at up to approximately half its original size due
to compression. On a volume that contains 500 GB of usable disk space, this
means you can store nearly 6 months' worth of data at an indexing rate of 5
GB/day, or 10 days' worth at a rate of 100 GB/day.
If you need additional storage, you can opt for either more local disks (required
for frequent searching) or attached or network storage (acceptable for occasional
searching). Low-latency connections over NFS or SMB/CIFS (Server Message
Block/Common Internet File System) are acceptable for searches over long time
periods where instant search returns can be compromised to lower cost per GB.
Important: Shares mounted over a Wide Area Network (WAN) connection or on
standby storage such as tape are never suitable storage choices for Splunk
operations.
Reference hardware
When sizing your Splunk Enterprise environment's hardware needs, a reference
machine helps you understand when it is time to scale and distribute the
deployment. Following is an example of such a machine. Refer to this
configuration as the standard for the remainder of this chapter.
The reference machine described below produces the following index and search
performance metrics for a given sample of data:
Indexing performance
Up to 5.8 megabytes per second (500 GB per day) of raw indexing
performance, provided no other Splunk activity is occurring.

Search performance
Up to 50,000 events per second for dense searches
Up to 5,000 events per second for sparse searches
Up to 2 seconds per index bucket for super-sparse searches
From 10 to 50 buckets per second for rare searches with bloom filters
30
To find out more about the types of searches and how they affect Splunk
Enterprise performance, read "How search types affect Splunk Enterprise
performance" in this manual.
Bare-metal hardware
Intel x86 64-bit chip architecture
2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core
12 GB RAM
Standard 1 Gb Ethernet NIC, optional 2nd NIC for a management network
Standard 64-bit Linux or Windows distribution
Disk subsystem
The reference computer's disk subsystem should be capable of handling a high
number of averaged Input/Output Operations Per Second (IOPS).
IOPS are a measurement of how much data throughput a hard drive can
produce. Since a hard drive reads and writes at different speeds, there are IOPS
numbers for disk reads and writes. The average IOPS is the blend between
those two figures.
The more average IOPS a hard drive can produce, the more data it can index
and search in a given period of time. While many variable items factor into the
amount of IOPS that a hard drive can produce, the three most important
elements are:
its rotational speed (in revolutions per minute)
its average latency (the amount of time it takes to spin its platters half a
rotation)

its average seek time (the amount of time it takes to retrieve a requested
block of data.)

To get the most IOPS out of a hard drive, always choose those drives that have
high rotational speeds and low average latency and seek times. Every drive
manufacturer provides this information (and some provide much more).
For additional information on IOPS and how to calculate them, review the
following articles:
"Getting the hang of IOPS
(http://www.symantec.com/connect/articles/getting-hang-iops-v13) on
Symantec's Connect Community.

31
"Analyzing I/O performance in Linux
(http://www.cmdln.org/2010/04/22/analyzing-io-performance-in-linux) on
CMDLN.ORG (A sysadmin blog).

For this application, we use eight 146-gigabyte, 15,000 RPM serial-attached
SCSI (SAS) HDs in a Redundant Array of Independent Disks (RAID) 1+0 fault
tolerance scheme as the disk subsystem. Each hard drive is capable of about
200 average IOPS. The combined array produces a little over 800 IOPS.
Important: Splunk is often constrained by disk I/O first, so always consider disk
infrastructure first when specifying your hardware.
Virtual hardware
Splunk Enterprise performs fastest when deployed directly on to bare-metal
hardware, as described above. However, Splunk can and does deliver on virtual
equipment. What's more, we fully support deploying Splunk Enterprise on virtual
hardware.
Using the bare metal hardware as a baseline, Splunk Enterprise generally
indexes data about 30% slower on a virtual machine (VM) than it does on a
standard reference machine. Search performance is on par with the real-world
hardware.
This is a best-case scenario that does not account for resource contention with
other active VMs on the same physical server. It also does not take into account
certain vendor-specific I/O enhancement techniques (such as Direct I/O or Raw
Device Mapping).
Splunk Enterprise in the cloud
While you can run Splunk in the cloud, there are various concerns that you must
be aware of when doing so. In addition to the security concerns of running
Splunk in a public cloud, you must also note that performance degrades
significantly compared to bare-metal hardware. Using that benchmark as a
baseline again, Splunk indexing performance on a cloud-based computer is
roughly half that of a real one. Searching suffers, too - results return anywhere
from 15 to 20 percent slower than on a physical machine.
32
Performance questionnaire
Overview
This topic helps you make the choice on whether or not to distribute your Splunk
Enterprise deployment.
This questionnaire is for a single-server Splunk Enterprise deployment based on
the reference architecture described in "Reference hardware."
Determine when to scale your Splunk Enterprise deployment
Before you consider whether or not to scale, estimate how much data you need
to index, and whether or not you need more than one concurrent Splunk user to
search that data.
Depending on how much data you index and how many concurrent users you
require, you might need to scale your environment to multiple machines. Even if
your indexing amount and user count falls within the capabilities of a single
server, you might have to distribute your deployment based on the types of
searches you employ, and whether or not you use summary indexes.
If you want to run a Splunk app or solution in your Splunk environment, or you
create elements that generate a large number of saved searches, you might
have to distribute Splunk Enterprise components across a number of machines.
Question 1: Do you want to create or run a Splunk app, alert or solution
that executes a large number of saved searches (more than 8
concurrently)?
A saved search is a search that a user saves to make available for later use. The
number of saved searches - especially those run concurrently - directly impacts a
Splunk server's performance. If you answered "NO" to this question, then
proceed to Question 2. You don't need to consider scaling your Splunk
deployment to multiple machines just yet.
However, if you answered "YES" then you should scale your Splunk deployment
to multiple machines. Review detailed information on hardware capacity planning
for distributed Splunk deployments in "Hardware capacity planning for a
distributed Splunk Deployment" in the Distributed Deployment Manual.
33
Question 2: Do you need to index more than 2 GB of data per day?
Question 3: Do you need more than 2 users signed in at one time?
If the answer to both questions is "NO" then your Splunk Enterprise instance
can safely share one of the reference servers with other services, with the caveat
that Splunk must have sufficient disk I/O bandwidth on the shared machine.
If you answered "YES" to either question then proceed to Question 4.
Note: If you are deploying Splunk Enterprise on Windows, you must not share
full Splunk services on servers that run Microsoft Exchange, Active Directory
domain services, or machine virtualization software. This is because those
services are often very disk I/O intensive, and can dramatically reduce indexing
and search performance. Additionally, you must ensure that any anti-virus
software installed on the server does not scan the Splunk installation directory.
Question 4: Do you need to index more than 100 GB per day?
Question 5: Do you need more than 4 concurrent users?
If the answer to both questions is "NO" then a single dedicated Splunk server of
our reference architecture should be able to handle your workload.
Question 6: Do you need more than 500GB of total storage?
Read "How Splunk Enterprise calculates disk storage" to learn how Splunk
calculates disk storage.
If the answer to this question is "NO" then a single dedicated reference server
should be able to handle your workload, but you might need to add fast storage
to the system to account for the increased space usage.
If the answer to this question is "YES" then you should consider scaling your
deployment to additional indexers to cope with the increased demand of indexing
and searching.
Question 7: Do you need to search large quantities of data for a small set
(less than 1 per cent) of results?
Searches that cover large quantities of data and return small sets of results are
known as super-sparse searches. These searches require lots of disk I/O
because the indexer must search a number of buckets to find the data you're
34
looking for.
If the answer to this question is "NO" then you probably do not need to scale
your deployment. However, adding additional indexers does improve both
indexing and search performance.
If the answer to this question is "YES" then you should definitely consider scaling
your deployment up. Read the following section to determine how Splunk
Enterprise calculates storage.
Summary of performance recommendations
This topic summarizes the performance recommendations that were given in the
performance questionnaire. The table below shows the amount of reference
servers that are required to index and search data in Splunk Enterprise,
depending on the number of concurrent users and amounts of data that the
instance indexes.
As a reminder, the reference hardware is:
Intel x86 64-bit chip architecture
2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core
12 GB RAM
Disk subsystem capable of producing 800 IOPS
Standard 1Gb Ethernet NIC, optional 2nd NIC for a management network
Standard 64-bit Linux or Windows distribution
For additional information about the reference server, read "Reference hardware"
in this manual.
Important: The figures shown in the table below only account for the reference
server in question performing a single task, such as either indexing or searching.
If a server is performing both actions at the same time, performance can and
does degrade depending on the amount of indexing and searching happening at
the time. The figures shown here are approximate guidelines only.
If you run Splunk apps, have higher indexing volumes, employ multiple or
I/O-heavy searches, or need more concurrent users than this table shows, then
you should scale your deployment as described in "Hardware capacity planning
for a distributed Splunk deployment" in the Distributed Deployment Manual.
If you need more guidance, contact Splunk.
35
Daily
Indexing
Volume
Number of
Concurrent Search
Users
Recommended
Indexers
Recommended
Search Heads
< 2 GB/day < 2 1, shared N/A
2 GB/day to
100 GB/day
up to 4 1, dedicated N/A
100 GB/day to
200 GB/day
up to 8 2 1
Note: For indexing requirements greater than 100 GB per day, or for additional
concurrent users, review "Hardware capacity planning for a distributed Splunk
deployment" in the Distributed Deployment Manual.
Answers
Have questions? Visit Splunk Answers to see what questions and answers other
Splunk users had about hardware and Splunk.
36
Install Splunk Enterprise on Windows
Choose the Windows user Splunk Enterprise
should run as
This topic discusses the steps you should take to choose which Windows user
Splunk Enterprise should run as when you install Splunk on Windows.
When you run the Windows Splunk Enterprise installer, it presents you with the
option to select the user that Splunk should run as. Splunk strongly recommends
you read this topic before installing in order to understand the ramifications of
choosing the user type.
This topic applies to all versions of Splunk, including Splunk Enterprise and the
Splunk universal forwarder. It applies to installing Splunk on Windows only.
The user you choose depends on what you want Splunk
Enterprise to monitor
The user Splunk Enterprise runs as determines what it can monitor. The Local
System user has access to all data on the local machine, but nothing else. A user
other than Local System has access to whatever data you want it to, but you
must give the user that access prior to installing Splunk.
If you already know that the computer you're installing Splunk on will not
access remote Windows data then you can proceed directly to "Install on
Windows" in this manual (or, if you want to install using the command prompt,
"Install on Windows via the command line.")
If there is a possibility that you will need to access remote Windows data,
or you are not sure, then read on - this topic contains important information
about the user you should install Splunk as.
About the "Local System user" and "other user" choices
The basics
The Windows Splunk Enterprise installer provides two ways to install Splunk: as
the "Local System" user, or as another existing user on your Windows computer
or network, which you designate.
37
If you intend to do any of the following with Splunk, then you must install Splunk
as an "other user":
read Event Logs remotely
collect performance counters remotely
read network shares for log files
enumerate the Active Directory schema using Active Directory monitoring
Note: This is not an all-inclusive list.
The user that you specify must, at a minimum:
Be a member of the Active Directory domain or forest you wish to monitor
(when using AD).

Be a member of the local Administrators group on the server you're
installing Splunk Enterprise on.

Have specific user security rights assigned to it prior to installing Splunk.
Read "Minimum permissions requirements" later in this topic for specific
information.

Caution: If the user does not have these minimum requirements satisfied,
Splunk Enterprise installation might fail. In this case, even if Splunk installation
succeeds, Splunk might not run correctly, or at all.
The user also has unique password constraints - read "Splunk user accounts and
password concerns" later in this topic for specifics.
If you're not sure which user Splunk Enterprise should run as, then review
"Considerations for deciding how to monitor remote Windows data" in the Getting
Data In Manual for additional information on how to configure the Splunk user
with the access it needs.
User accounts and password concerns
Another important issue that arises when you install Splunk Enterprise with a
user account is that any active password enforcement security policy controls the
password's validity. If your Windows server or network enforces password
changes, you must consider these things:
Before the password expires, change it, reconfigure Splunk Enterprise
services on every machine to use the changed password, and then restart
Splunk.

Configure the account so that its password never expires.
38
Use a managed service account (read "Use managed service accounts on
Windows Server 2008 and Windows 7" later in this topic).

Use managed service accounts on Windows Server 2008, Windows Server
2012 and Windows 7
If you run Windows Server 2008, Windows Server 2008 R2, Windows Server
2012, or Windows 7 in Active Directory, and your AD domain has at least one
Windows Server 2008 R2 or Server 2012 domain controller, you can install
Splunk Enterprise to run as a managed service account (MSA).
The major benefits of using a MSA are:
Increased security from the isolation of accounts for services.
Administrators no longer need to manage the credentials or administer the
accounts. This means that, among other things, passwords automatically
change after they expire, and you do not have to manually set passwords
or restart services associated with these accounts.

Administrators can delegate the administration of these accounts to
non-administrators.

Some important things to understand before installing Splunk with a MSA are:
The MSA requires the same permissions as a domain account on the
machine that runs Splunk.

The MSA must be a local administrator on the machine that runs Splunk.
You cannot use the same account on different computers, as you would
with a domain account.

You must correctly configure and install the MSA on the machine that runs
Splunk before you install Splunk on the machine. For information and
instructions on how to do this, review "Service Accounts Step-by-Step
Guide"
(http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx)
on MS Technet.

To install Splunk Enterprise using a MSA, read "Prepare your Windows network
for a Splunk Enterprise installation as a network or domain user" in this manual.
Security and remote access considerations
39
Minimum permissions requirements
If you choose to install Splunk as a domain user, then there are a minimum
number of permissions required on the server that runs Splunk.
The following is a list of the minimum user rights and permissions that the
splunkd, splunkweb, and splunkforwarder services require when Splunk is
installed using a domain user. Depending on the sources of data you want to
monitor, the Splunk user might need a significant amount of additional
permissions.
Required basic permissions for the splunkd or splunkforwarder services
Full control over Splunk's installation directory
Read access to any flat files you want to index
Required Local/Domain Security Policy user rights assignments for the splunkd or
splunkforwarder services
Permission to log on as a service
Permission to log on as a batch job
Permission to replace a process-level token
Permission to act as part of the operating system
Permission to bypass traverse checking
Important: Failure to assign these permissions to the Splunk user prior to
installation can result in a failed Splunk install, or an installation which does not
function correctly, or at all.
Required basic permissions for the splunkweb service
Full control over Splunk's installation directory
Required Local/Domain Security Policy user rights assignments for the splunkweb
service
Permission to log on as a service
Note: Splunk Enterprise does not require these permissions when it runs as the
Local System account.
40
How to assign these permissions
This section contains high-level concepts on how to assign the appropriate user
rights and permissions to the Splunk service account before attempting to install.
For step-by-step instructions, read "Prepare your Windows network for a Splunk
Enterprise installation as a network or domain user" in this manual.
Use Group Policy to assign rights to multiple machines
If you want to assign the policy settings shown above to a number of
workstations and servers in your AD domain or forest, you can define a Group
Policy object (GPO) with these specific rights, and deploy that GPO across the
domain. Read "Prepare your Windows network for a Splunk Enterprise
installation as a network or domain user" in this manual for specific instructions.
Once you've created and enabled the GPO, the workstations and servers in your
domain pick up the changes either during the next scheduled AD replication
cycle (usually every 1 1/2 to 2 hours) or at the next boot time. Alternatively, you
can force AD replication using the GPUPDATE command line utility on the server on
which you want to update Group Policy.
When setting user rights, remember that rights assigned by a GPO override
identical Local Security Policy rights on a machine, and you can't change this
setting. If you wish to retain previously existing rights that are explicitly defined
through Local Security Policy on a machine, you must also assign these rights
within the GPO.
Troubleshoot permissions issues
The rights described above are the rights that the splunkd, splunkweb, and
splunkforwarder services specifically require. Other rights might be needed,
depending on your usage and what data you want to access. Additionally, many
user rights assignments and other Group Policy restrictions can prevent Splunk
from running. If you have issues, consider using a tool such as Process Monitor
or GPRESULT to troubleshoot GPO application in your environment.
Prepare your Windows network for a Splunk
Enterprise installation as a network or domain user
The following procedures detail the steps you must take to prepare your
Windows network to allow for Splunk Enterprise installation as a network or
41
domain user other than the "Local System" user.
Important: Do not perform these instructions if you plan to install Splunk
Enterprise or universal forwarder as the "Local System" user.
The instructions shown here have been tested for Windows Server 2008 R2 and
Windows Server 2012, and might differ slightly for other versions of Windows.
Caution: These instructions require full administrative access to the
computer and/or Active Directory domain you want to prepare for Splunk
operations. Do not attempt to perform this procedure without this access.
Additionally, the rights you assign using these instructions are the minimum
rights required for a successful Splunk installation. You might need to assign
additional rights, either within the Local Security Policy or a Group Policy object
(GPO), or to the user and group accounts you create, in order for Splunk to
access the data you want.
Prepare Active Directory for Splunk installation as a domain
user
The following instructions guide you through preparing your Active Directory to
allow for installations of Splunk Enterprise or the Splunk universal forwarder as a
domain account.
Splunk recommends that you follow Microsoft's Best Practices
(http://technet.microsoft.com/en-us/library/bb727085.aspx) when creating users
and groups. This typically involves creating a specific Organizational Unit for
groups within the organization.
These instructions assume the following:
You are running Active Directory.
You are a domain administrator for the AD domain(s) you want to
configure.

The computer(s) you plan to install Splunk on are members of the AD
domain.

Create groups
1. Run the Active Directory Users and Computers tool by selecting Start >
Administrative Tools > Active Directory Users and Computers.
42
2. Once the program loads, select the domain that you want to prepare for
Splunk operations.
3. Double-click an existing appropriate container folder to open it, or create a new
Organization Unit by selecting New > Group from the Action menu.
4. From the Action menu, select New > Group.
5. In the dialog that appears, type in a name that represents Splunk user
accounts, for example, "Splunk Accounts".
Ensure that the Group scope is set to Domain Local, and Group type is
set to Security.
6. Click OK to create the group.
7. Create a second group and specify a name that represents Splunk-enabled
computers, for example, "Splunk Enabled Computers". This group will contain
computer accounts that get assigned the appropriate permissions to run Splunk
as a domain user.
Ensure that the Group scope is set to Domain Local, and Group type is
set to Security.
Assign users and computers to groups
If you have not already created the user account(s) that you want to use to run
Splunk, now is a good time to do so. Follow Microsoft's best practices for creating
users and groups if you do not have your own internal policy.
Once you have created the user account(s), add the account(s) to the Splunk
Accounts group, and add the computer accounts of the computers that will run
Splunk to the Splunk Enabled Computers group.
After you have done this, you can exit Active Directory Users and Computers.
Define a Group Policy object (GPO)
1. Run the Group Policy Management Console (GPMC) tool by selecting Start
> Administrative Tools > Group Policy Management.
2. In the tree view pane on the left, select Domains.
43
3. Click the Group Policy Objects folder.
4. In the Group Policy Objects in <your domain> folder, right-click and select
New from the menu that pops up.
5. In the New GPO dialog, type in a name that represents the fact that the GPO
will assign user rights to the servers you apply it to, for example, "Splunk
Access."
Leave the Source Starter GPO field set to "(none)".
6. Click OK to save the GPO.
Add rights to the GPO
1. While still in the GPMC, right-click on the newly created group policy object
and select Edit from the pop-up menu that appears.
2. In the Group Policy Management Editor that appears, in the left pane,
browse to Computer Configuration -> Policies -> Windows Settings ->
Security Settings -> Local Policies -> User Rights Assignment.
a. In the right pane, double-click on the Act as part of the operating
system entry.
b. In the window that opens, check the Define these policy settings
checkbox.
c. Click Add User or Group?
d. In the dialog that opens, click Browse?
e. In the Select Users, Computers, Service Accounts, or Groups
dialog that opens, type in the name of the "Splunk Accounts" group you
created earlier, then click Check Names?
Windows underlines the name if it is valid. Otherwise it tells you
that it cannot find the object and prompts you for an object name
again.
f. Click OK to close the "Select Users?" dialog.
g. Click OK again to close the "Add User or Group" dialog.
44
h. Click OK again to close the rights properties dialog.
3. Repeat Steps 2a-2h for the following additional rights:
Bypass traverse checking
Log on as a batch job
Log on as a service
Replace a process-level token
Change per-server Administrators group membership
The following steps restrict who is a member of the Administrators group on the
server(s) to which you apply this GPO.
Caution: Make sure to add all accounts that need access to the Administrators
group on each server to the Restricted Groups policy setting. Failure to do so can
cause you to lose administrative access to the servers to which you apply this
GPO!
1. While still in the Group Policy Management Editor window, in the left pane,
browse to Computer Configuration -> Policies -> Windows Settings ->
Security Settings -> Restricted Groups.
a. In the right pane, right-click and select Add Group? in the pop-up menu
that appears.
b. In the dialog that appears, type in Administrators and click OK.
c. In the properties dialog that appears, click the Add button next to
Members of this group:.
d. In the Add Member dialog that appears, click Browse?"
e. In the Select Users, Computers, Service Accounts, or Groups
dialog that opens, type in the name of the "Splunk Accounts" group you
created earlier, then click Check Names?
Windows underlines the name if it is valid. Otherwise it tells you
that it cannot find the object and prompts you for an object name
again.
f. Click OK to close the Select Users? dialog.
45
g. Click OK again to close the "Add User or Group" dialog.
h. Click OK again to close the group properties dialog.
2. Repeat Steps 1a-1h for the following additional users or groups:
Domain Admins
any additional users who need to be a member of the Administrators
group on every server to which you apply the GPO.

3. Close the Group Policy Management Editor window to save the GPO.
Restrict GPO application to select computers
1. While still in the GPMC, in the GPMC's left pane, select the GPO you created
and added rights to, if it is not already selected.
GPMC displays information about the GPO in the right pane.
2. In the right pane, under Security Filtering, click Add?
3. In the Select User, Computer, or Group dialog that appears, type in "Splunk
Enabled Computers" (or the name of the group that represents Splunk-enabled
computers that you created earlier.)
4. Click Check Names. If the group is valid, Windows underlines the name.
Otherwise, it tells you it cannot find the object and prompts you for an object
name again.
5. Click OK to return to the GPO information window.
6. Repeat Steps 2-5 to add the "Splunk Accounts" group (the group that
represents Splunk user accounts that you created earlier.)
7. Under Security Filtering, click the Authenticated Users entry to highlight it.
8. Click Remove.
GPMC removes the "Authenticated Users" entry from the "Security
Filtering" field, leaving only "Splunk Accounts" and "Splunk Enabled
Computers."
46
Apply the GPO
1. While still in the GPMC, in the GPMC's left pane, select the domain that you
want to apply the GPO you created.
2. Right click on the domain, and select Link an Existing GPO? in the menu that
pops up.
Note: If you only want the GPO to affect the OU that you created earlier, then
select the OU instead and right-click to bring up the pop-up menu.
3. In the Select GPO dialog that appears, select the GPO you created and
edited, and click OK. GPMC applies the GPO to the selected domain.
4. Close GPMC by selecting File > Exit from the GPMC menu.
Note: Active Directory controls when Group Policy updates occur and GPOs get
applied to computers in the domain. Typically, replication happens every 90-120
minutes. You must wait this amount of time before attempting to install Splunk as
a domain user. Alternatively, you can force a Group Policy update by running
GPUPDATE /FORCE from a command prompt on the computer on which you want to
update Group Policy.
Install Splunk with a managed system account
Alternatively, you can install Splunk with a managed system account. Follow
these instructions to do so:
1. Create and configure the MSA that you plan to use to monitor Windows data.
Note: You can use the instructions in "Prepare your Active Directory to run
Splunk services as a domain account" earlier in this topic to assign the MSA the
appropriate security policy rights and group memberships.
2. Install Splunk from the command line as the "Local System" user.
Important: You must install Splunk from the command line and use the
LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed.
3. After installation is complete, use the Windows Explorer or the ICACLS
command line utility to grant the MSA "Full Control" permissions to the Splunk
installation directory and all its sub-directories.
47
Note: You might need to break NTFS permission inheritance from parent
directories above the Splunk installation directory and explicitly assign
permissions from that directory and all subdirectories.
4. Follow the instructions in the topic "Correct the user selected during Windows
installation" in this manual to change the default user for Splunk's service
account. In this instance, the correct user is the MSA you configured prior to
installing Splunk.
Important: You must append a dollar sign ($) to the end of the username when
completing Step 4 in order for the MSA to work properly. For example, if the MSA
is SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the
appropriate field in the properties dialog for the service. You must do this for both
the splunkd and splunkweb services.
5. Confirm that the MSA has the "Log on as a service" right.
Note: If you use the Services control panel to make the service account
changes, Windows grants this right to the MSA automatically.
6. Start Splunk. Splunk will run as the MSA configured above, and will have
access to all data that the MSA has access to.
Prepare a local machine or non-AD network for Splunk
installation
If you are not using Active Directory, follow these instructions to give
administrative access to the user you want Splunk to run as on the computers
you want to install Splunk on.
1. Give the user Splunk should run as administrator rights by adding the user to
the local Administrators group.
2. Start Local Security Policy by selecting Start > Administrative Tools > Local
Security Policy.
Local Security Policy launches and displays the local security settings.
3. In the left pane, expand Local Policies and then click User Rights
Assignment.
48
a. In the right pane, double-click on the Act as part of the operating
system entry.
b. Click Add User or Group?
c. In the dialog that opens, click Browse?
d. In the Select Users, Computers, Service Accounts, or Groups
dialog that opens, type in the name of the "Splunk Computers" group you
created earlier, then click Check Names...
Windows underlines the name if it is valid. Otherwise it tells you
that it cannot find the object and prompts you for an object name
again.
e. Click OK to close the "Select Users?" dialog.
f. Click OK again to close the "Add User or Group" dialog.
g. Click OK again to close the rights properties dialog.
4. Repeat Steps 3a-3g for the following additional rights:
Bypass traverse checking
Log on as a batch job
Log on as a service
Replace a process-level token
Once you have completed these steps, you can then install Splunk as the
desired user.
Install on Windows
This topic describes the procedure for installing Splunk Enterprise on Windows
with the Graphical User Interface (GUI)-based installer. More options (such as
silent installation) are available if you install from the command line.
Important: Running the 32-bit version of Splunk for Windows on a 64-bit
Windows system is not recommended. If you attempt to run the 32-bit installer on
a 64-bit system, the installer will warn you of this.
49
We strongly recommend that you run 64-bit Splunk on 64-bit hardware. The
performance is greatly improved over the 32-bit version.
Note: If you want to install the Splunk universal forwarder, see the Forwarding
Data manual: "Universal forwarder deployment overview". Unlike Splunk
Enterprise heavy and light forwarders, which are full Splunk instances with
some features changed or disabled, the universal forwarder is an entirely
separate executable, with its own set of installation procedures. For an
introduction to forwarders, see "About forwarding and receiving", also in the
Forwarding Data Manual.
Upgrading?
If you are upgrading Splunk Enterprise, review "How to upgrade Splunk" for
instructions and migration considerations before proceeding.
In particular, be aware that Splunk does not support changing the management
or HTTP ports during an upgrade.
Before you install
Choose the Windows user Splunk should run as
Before installing, be sure to read "Choose the Windows user Splunk should run
as" to determine which user account Splunk should run as to address your
specific needs. The user you choose has specific ramifications on what you need
to do prior to installing the software, and more details can be found there.
Splunk for Windows and anti-virus software
Splunk's indexing subsystem requires lots of disk throughput. Any software with a
device driver that intermediates between Splunk and the operating system can
rob Splunk of processing power, causing slowness and even an unresponsive
system. This includes anti-virus software.
It's extremely important to configure such software to avoid on-access scanning
of Splunk installation directories and processes, before starting a Splunk
installation.
Install Splunk via the GUI installer
The Windows installer is an MSI file.
50
1. To start the installer, double-click the splunk.msi file.
The installer runs and displays the Welcome panel.
2. To begin the installation, click Next.
Note: On each panel, you can click Next to continue, Back to go back a step, or
Cancel to cancel the installation and quit the installer.
The installer displays the licensing panel.
3. Read the licensing agreement and select "I accept the terms in the license
agreement". Click Next to continue installing.
The installer displays the Destination Folder panel.
Note: By default, Splunk gets installed into \Program Files\Splunk on the
system drive. The Splunk Enterprise installation directory is referred to as
$SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set.
4. Click Change... to specify a different location to install Splunk, or click Next to
accept the default value.
The installer displays the Logon Information panel.
Splunk installs and runs two Windows services, splunkd and splunkweb. These
services install and run as the user you specify on this panel. You can choose to
run Splunk as the Local System user, or another user.
Important: If you choose to run Splunk as another user, that user must:
Be a member of an Active Directory domain (you cannot install Splunk as
a local machine account other than the Local System account)

Have local administrator privileges on the machine which you are
performing the installation, and

Have specific user rights, and other additional permissions, depending on
the kinds of data you want to collect from remote machines.

Read "Choose the Windows user Splunk Enterprise should run as" for additional
information on these permissions and rights requirements.
If you have not read the above linked topic beforehand, then stop the
installation now and read that topic first.
51
5. Select a user type and click Next.
If you selected the Local System user, proceed to Step 7. Otherwise, the installer
displays the Logon Information: specify a username and password panel.
6. Specify a username and password to install and run Splunk and click Next.
Note: This must be a valid user in your security context, and must be an active
member of an Active Directory domain. Splunk must run under either the Local
System account or a valid user account with a valid password and local
administrator privileges.
The installer displays the installation summary panel.
7. Click Install to proceed.
The installer runs and displays the Installation Complete panel.
Caution: If you specified the wrong user during the installation procedure, you
will see two pop-up error windows explaining this. If this occurs, Splunk installs
itself as the local system user by default. Splunk does not start automatically in
this situation. You can proceed through the final panel of the installation, but
uncheck the "Launch browser with Splunk" checkbox to prevent your browser
from launching. Then, use these instructions to switch to the correct user before
starting Splunk.
8. If desired, check the boxes to Launch browser with Splunk and Create Start
Menu Shortcut now. Click Finish.
The installation completes, Splunk Enterprise starts, and Splunk Web launches in
a supported browser if you checked the appropriate box.
Note: The first time you access Splunk Web after installation, login with the
default username admin and password changeme. Do not use the username and
password you provided during the installation process.
Launch Splunk in a Web browser
To access Splunk Web after you start Splunk on your machine, you can either:
Click the Splunk icon in Start > Programs > Splunk
or
52
Open a Web browser and navigate to http://localhost:8000.
Log in using the default credentials: username: admin and password: changeme.
The first time you log into Splunk successfully, it prompts you right away to
change your password. You can do so by entering a new password and clicking
the Change password button, or you can do it later by clicking the Skip button.
Note: If you do not change your password, remember that anyone who has
access to the machine and knows the default password can access your Splunk
instance. Be sure to change the admin password as soon as possible and make
a note of what you changed it to.
Avoid IE Enhanced Security pop-ups
If you're using Internet Explorer to access Splunk Web, add the following URLs to
the allowed Intranet group or fully trusted group to avoid getting "Enhanced
Security" pop-ups:
quickdraw.splunk.com

the URL of your Splunk instance
Change the Splunk Web or splunkd service ports
If you want the Splunk Web service or the splunkd service to use a different port,
you can change the defaults.
To change the splunk web service port:
Open a command prompt.
Change to the %SPLUNK_HOME%\bin directory.
Type in splunk set web-port #### and press Enter.
To change the splunkd port:
Open a command prompt, if one isn't already.
Change to the %SPLUNK_HOME%\bin directory.
Type in splunk set splunkd-port #### and press Enter.
Note: If you specify a port and that port is not available, or if the default port is
unavailable, Splunk will automatically select the next available port.
53
Install or upgrade license
If you are performing a new installation of Splunk or switching from one license
type to another, you must install or update your license.
What's next?
Now that you've installed Splunk Enterprise, you can find out what comes next,
or you can review these topics in the Getting Data In Manual for information on
adding Windows data to Splunk:
Monitor Windows Event Log data
Monitor Windows Registry data
Monitor WMI-based data
Considerations for deciding how to monitor remote Windows data.
Install on Windows via the command line
This topic describes the procedure for installing Splunk Enterprise on Windows
from the command line. Before installing, be sure to read "Choose the Windows
user Splunk should run as" to determine which user account Splunk should run
as to address your specific needs.
Important: Running the 32-bit version of Splunk for Windows on a 64-bit
Windows system is not recommended. If you run the 32-bit installer on a 64-bit
system, the installer will warn you about this.
We strongly recommend that you run 64-bit Splunk on 64-bit hardware. The
performance is greatly improved over the 32-bit version.
Note: If you want to install the Splunk universal forwarder, see the Forwarding
Data manual: "Universal forwarder deployment overview". Unlike Splunk
Enterprise heavy and light forwarders, which are full Splunk instances with
some features changed or disabled, the universal forwarder is an entirely
separate executable, with its own set of installation procedures. For an
introduction to forwarders, see "About forwarding and receiving", also in the
Forwarding Data Manual.
54
When to install from the command line?
You can manually install Splunk Enterprise on individual machines from a
command prompt or PowerShell window. Here are some scenarios where
installing from the command line is useful:
You want to install Splunk, but don't want it to start right away.
You want to automate installation of Splunk with a script.
You want to install Splunk on a system that you will clone later.
You want to use a deployment tool such as Group Policy or System
Center Configuration Manager.

Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
In particular, be aware that Splunk does not support changing the management
or HTTP ports during an upgrade.
Before you install
Choose the Windows user Splunk Enterprise should run as
Before installing, be sure to read "Choose the Windows user Splunk should run
as" to determine which user account Splunk should run as to address your
specific data collection needs. The user you choose has specific ramifications on
what you need to do prior to installing the software, and more details can be
found there.
Splunk for Windows and anti-virus software
The Splunk Enterprise indexing subsystem requires lots of disk throughput.
Anti-virus software - or any software with a device driver that intermediates
between Splunk and the operating system - can rob Splunk of processing power,
causing slowness and even an unresponsive system.
It's extremely important to configure such software to avoid on-access scanning
of Splunk Enterprise installation directories and processes, before starting a
Splunk installation.
55
Install Splunk Enterprise from the command line
You can install Splunk Enterprise from the command line by invoking
msiexec.exe.
For 32-bit platforms, use splunk-<...>-x86-release.msi:
msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]
For 64-bit platforms, use splunku-<...>-x64-release.msi:
msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]
The value of <...> varies according to the particular release; for example,
splunk-5.0-125454-x64-release.msi.
Command line flags allow you to configure Splunk Enterprise at installation time.
Using command line flags, you can specify a number of settings, including:
Which Windows event logs to index.
Which Windows Registry hive(s) to monitor.
Which Windows Management Instrumentation (WMI) data to collect.
The user Splunk Enterprise runs as (Important: Read "Choose the
Windows user Splunk should run as" for information on what type of user
you should install your Splunk instance with.)

An included application configuration for Splunk to enable (such as the
Splunk light forwarder.)

Whether or not Splunk should start up automatically when the installation
is completed.

Note: The first time you access Splunk Web after installation, log in with the
default username admin and password changeme.
Supported flags
The following is a list of the flags you can use when installing Splunk for
Windows via the command line.
Important: The Splunk universal forwarder is a separate executable, with its own
installation flags. Review the supported installation flags for the universal
forwarder in "Deploy a Windows universal forwarder from the command line" in
56
the Forwarding Data manual.
Flag What it's for Default
AGREETOLICENSE=Yes|No
Use this flag to agree to the EULA. This
flag must be set to Yes for a silent
installation.
No
INSTALLDIR="<directory_path>"
Use this flag to specify directory to
install. Splunk's installation directory is
referred to as $SPLUNK_HOME or
%SPLUNK_HOME% throughout this
documentation set.
C:\Program
Files\Splunk
SPLUNKD_PORT=<port number>
Use these flags to specify alternate
ports for splunkd and splunkweb to use.
Note: If you specify a port and that port
is not available, Splunk will
automatically select the next available
port.
8089
WEB_PORT=<port number>
Use these flags to specify alternate
ports for splunkd and splunkweb to use.
Note: If you specify a port and that port
is not available, Splunk will
automatically select the next available
port.
8000
WINEVENTLOG_APP_ENABLE=1/0
WINEVENTLOG_SEC_ENABLE=1/0
WINEVENTLOG_SYS_ENABLE=1/0
WINEVENTLOG_FWD_ENABLE=1/0
WINEVENTLOG_SET_ENABLE=1/0
Use these flags to specify whether or
not Splunk should index a particular
Windows event log:
Application log
Security log
System log
Forwarder log
Setup log
Note: You can specify multiple flags.
0 (off)
57
REGISTRYCHECK_U=1/0
REGISTRYCHECK_BASELINE_U=1/0
Use this flag to specify whether or not
Splunk should
index events from
capture a baseline snapshot of
the Windows Registry user hive
(HKEY_CURRENT_USER).
Note: You can set both of these at the
same time.
0 (off)
REGISTRYCHECK_LM=1/0
REGISTRYCHECK_BASELINE_LM=1/0
Use this flag to specify whether or not
Splunk should
index events from
capture a baseline snapshot of
the Windows Registry machine hive
(HKEY_LOCAL_MACHINE).
Note: You can set both of these at the
same time.
0 (off)
WMICHECK_CPUTIME=1/0
WMICHECK_LOCALDISK=1/0
WMICHECK_FREEDISK=1/0
WMICHECK_MEMORY=1/0
Use these flags to specify which
popular WMI-based performance
metrics Splunk should index:
CPU usage
Local disk usage
Free disk space
Memory statistics
Caution: If you need this instance of
Splunk to monitor remote Windows
data, then you must also specify the
LOGON_USERNAME and LOGON_PASSWORD
installation flags. Splunk can not collect
any remote data that it does not have
0 (off)
58
explicit access to. Additionally, the user
you specify requires specific rights,
administrative privileges, and additional
permissions, which you must configure
before installation. Read "Choose the
Windows user Splunk should run as" in
this manual for additional information
about the required credentials.
There are many more WMI-based
metrics that Splunk can index. Review
"Monitor WMI Data" in the Getting Data
In Manual for specific information.
LOGON_USERNAME="<domain\username>"
LOGON_PASSWORD="<pass>"
Use these flags to provide
domain\username and password
information for the user that Splunk will
run as. The splunkd and splunkweb
services are configured with these
credentials. For the LOGON_USERNAME
flag, you must specify the domain with
the username in the format
"domain\username."
These flags are required if you want
this Splunk Enterprise installation to
monitor any remote data. Review
"Choose the Windows user Splunk
should run as" in this manual for
additional information about which
credentials to use.
none
SPLUNK_APP="<SplunkApp>"
Use this flag to specify an included
Splunk application configuration to
enable for this installation of Splunk.
Currently supported options for
<SplunkApp> are:
SplunkLightForwarder and
SplunkForwarder. These specify that
this instance of Splunk will function as a
light forwarder or heavy forwarder,
respectively. Refer to the "About
forwarding and receiving" topic in the
Forwarding Data manual for more
none
59
information.
Important: The full version of Splunk
does not enable the universal
forwarder. The universal forwarder is a
separate downloadable executable,
with its own installation flags.
Note: If you specify either the Splunk
forwarder or light forwarder here, you
must also specify
FORWARD_SERVER="<server:port>".
To install Splunk Enterprise with no
applications at all, simply omit this flag.
FORWARD_SERVER="<server:port>"
Use this flag *only* when you are also
using the SPLUNK_APP flag to enable
either the Splunk heavy or light
forwarder. Specify the server and port
of the Splunk server to which this
forwarder will send data.
Important: This flag requires that the
SPLUNK_APP flag also be set.
none
DEPLOYMENT_SERVER="<host:port>"
Use this flag to specify a deployment
server for pushing configuration
updates. Enter the deployment server's
name (hostname or IP address) and
port.
none
LAUNCHSPLUNK=0/1
Use this flag to specify whether or not
Splunk should start up automatically on
system boot.
Important: If you enable the Splunk
Forwarder by using the SPLUNK_APP flag,
the installer configures Splunk to start
automatically, and ignores this flag.
1 (on)
INSTALL_SHORTCUT=0/1
Use this flag to specify whether or not
the installer should create a shortcut to
Splunk on the desktop and in the Start
Menu.
1 (on)
60
Silent installation
To run the installation silently, add /quiet to the end of your installation
command string. If your system is running UAC (which is sometimes on by
default) you must run the installation as Administrator. To do this: when opening
a cmd prompt, right click and select "Run As Administrator". Then use this cmd
window to run the silent install command.
Examples
The following are some examples of using different flags.
Silently install Splunk Enterprise to run as the Local System user
msiexec.exe /i Splunk.msi /quiet
Enable SplunkForwarder and specify credentials for the user Splunk
Enterprise will run as
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"
FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk"
LOGON_PASSWORD="splunk123"
Enable SplunkForwarder, enable indexing of the Windows System event
log, and run the installer in silent mode
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"
FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet
Where "<server:port>" are the server and port of the Splunk server to which
this machine should send data.
Launch Splunk in a Web browser
To access Splunk Web after you start Splunk on your machine, you can either:
Click the Splunk icon in Start>Programs>Splunk
or
Open a Web browser and navigate to http://localhost:8000.
61
Log in using the default credentials: username: admin and password: changeme .
Be sure to change the admin password as soon as possible and make a note of
what you changed it to.
Avoid IE Enhanced Security pop-ups
To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed
Intranet group or fully trusted group in IE:
quickdraw.splunk.com
the URL of your Splunk instance
Install or upgrade license
If you are performing a new installation of Splunk or switching from one license
type to another, you must install or update your license.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
You can also review this topic about considerations for deciding how to monitor
Windows data in the Getting Data In manual.
Correct the user selected during Windows
installation
If you have selected "other user" during the Splunk Enterprise installation, and
that user does not exist or perhaps you mistyped the information, you can go into
the Windows Service Control Manager and specify the correct information, as
long as you have not started Splunk yet. If you have started Splunk, you must
stop it, uninstall it and reinstall it.
If you specified an invalid user during the Windows GUI installation process, you
will see two popup error windows.
To change the user:
1. In Control Panel > Administrative Tools > Services, find the splunkd and
splunkweb services. You'll notice that they are not started and are currently
62
owned by the Local System User.
2. Right click on each service and choose Properties. The properties dialog for
that service is displayed.
3. Select the Log On tab.
4. Select the This account radio button and fill in the correct domain\username
and password.
5. Click Apply.
6. Click OK.
7. Repeat Steps 2 through 6 for the second service (you must do this for both
splunkd and splunkweb).
8. You can now either start both services from the Service Manager or from the
Splunk command line interface.
63
Install Splunk Enterprise on Unix, Linux or
Mac OS X
Install on Linux
You can install Splunk Enterprise on Linux using RPM or DEB packages, or a tar
file.
Note: If you want to install the Splunk universal forwarder, see the Forwarding
Data manual: "Universal forwarder deployment overview". Unlike Splunk heavy
and light forwarders, which are full Splunk instances with some features
changed or disabled, the universal forwarder is an entirely separate executable,
with its own set of installation procedures. For an introduction to forwarders, see
"About forwarding and receiving".
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Tar file install
To install Splunk Enterprise on a Linux system, expand the tar file into an
appropriate directory using the tar command:
tar xvzf splunk_package_name.tgz
The default install directory is splunk in the current working directory. To install
into /opt/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /opt
Note: When you install Splunk Enterprise with a tar file:
Some non-GNU versions of tar might not have the -C argument available.
In this case, if you want to install in /opt/splunk, either cd to /opt or place
the tar file in /opt before running the tar command. This method will work
for any accessible directory on your machine's filesystem.

64
Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually before
installing.

Ensure that the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

RedHat RPM install
To install the Splunk RPM in the default directory /opt/splunk:
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the --prefix flag:
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
Note: Installing with rpm in a non-default directory is not recommended, as RPM
offers no safety net at time of upgrade, if --prefix does not agree then the
upgrade will go awry.
To upgrade an existing Splunk Enterprise installation that resides in /opt/splunk
using the RPM:
rpm -U splunk_package_name.rpm
Note: Upgrading rpms is upgrading the rpm package, not upgrading splunk. In
other words, rpm upgrades can only be done when using the rpm in the past.
There is no smooth transition from tar installs to rpm installs. This is not a splunk
issue, but a fundamental packaging issue.
To upgrade an existing Splunk installation that was done in a different directory,
use the --prefix flag:
rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm
Note: If you do not specify with --prefix for your existing directory, rpm will
install in the default location of /opt/splunk.
For example, to upgrade to the existing directory of
$SPLUNK_HOME=/opt/apps/splunk enter the following:
65
rpm -U --prefix=/opt/apps splunk_package_name.rpm
If you want to automate your RPM install with kickstart, add the following to your
kickstart file:
./splunk start --accept-license
./splunk enable boot-start
Note: The second line is optional for the kickstart file.
Debian DEB install
To install the Splunk DEB package:
dpkg -i splunk_package_name.deb
Note: You can only install the Splunk DEB package in the default location,
/opt/splunk.
What gets installed
Splunk package status:
dpkg --status splunk
List all packages:
dpkg --list
Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify. Refer to the instructions for running Splunk as a
non-root user for more information.
66
To start Splunk Enterprise from the command line interface, run the following
command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the
directory into which you installed Splunk):
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port.
hostname is the host machine.
port is the port you specified during the installation (the default port is
8000).

2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
67
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
Install on Solaris
You can install Splunk Enterprise on Solaris with a PKG packages, or a tar file.
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Install Splunk
Splunk Enterprise for Solaris is available as a PKG file or a tar file.
PKG file install
The PKG installation package includes a request file that prompts you to answer
a few questions before Splunk installs.
pkgadd -d ./splunk_product_name.pkg
A list of the available packages is displayed.
Select the packages you wish to process (the default is "all").
The installer then prompts you to specify a base installation directory.
To install into the default directory, /opt/splunk, leave this blank.
PKG file upgrade
To upgrade an existing Splunk Enterprise installation using a PKG file, you
should use the instance parameter, either in the system's default package
installation configuration file (/var/sadm/install/admin/default) or in a custom
configuration file that you define and call.
68
In the default or custom configuration file, set instance=overwrite. This will
prevent the upgrade from creating a second splunk package (with
instance=unique), or failing (with instance=quit). For information about the
instance parameter, see the Solaris man page (man -s4 admin).
To upgrade Splunk Enterprise using the system's default package installation file,
use the same command line as you would for a fresh install.
pkgadd -d ./splunk_product_name.pkg
The installer prompts you to overwrite any changed files, answer yes to every
one.
To upgrade using a custom configuration file, type:
pkgadd -a conf_file -d ./splunk_product_name.pkg
To run the upgrade silently (and not have to answer yes for every file overwrite),
type:
pkgadd -n -d ./splunk_product_name.pkg
tar file install
To install Splunk Enterprise on a Solaris system, expand the tar file into an
appropriate directory using the tar command:
tar xvzf splunk_package_name.tar.Z
The default install directory is splunk in the current working directory. To install
into /opt/splunk, use the following command:
tar xvzf splunk_package_name.tar.Z -C /opt
Note: When you install Splunk with a tar file:
Some non-GNU versions of tar might not have the -C argument available.
In this case, if you want to install in /opt/splunk, either cd to /opt or place
the tar file in /opt before running the tar command. This method will work
for any accessible directory on your machine's filesystem.

69
If the gzip binary is not present on your system, you can use the
uncompress command instead.

Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually before
installing.

Ensure that the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

What gets installed
Splunk package info:
pkginfo -l splunk
List all packages:
pkginfo
Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify. For more information, refer to the instructions on
running Splunk as a non-root user.
To start Splunk Enterprise from the command line interface, run the following
command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the
directory into which you installed Splunk):
./splunk start
By convention, the Splunk documentation uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
70
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://mysplunkhost:port, where:
mysplunkhost is the host machine.
port is the port you specified during the installation (8000).
2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
Install on Mac OS X
You can install Splunk Enterprise on Mac OS X using a DMG package, or a tar
file.
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Installation options
The Mac OS build comes in two forms: a DMG package and a tar file. Below are
instructions for the:
71
Graphical (basic) and command line installs using the DMG file.
tar file install.
Note: if you require two installations in different locations on the same host, use
the tar file. The pkg installer cannot install a second instance. If one exists, it will
remove it upon successful install of the second.
Graphical install
1. Double-click on the DMG file.
A Finder window containing splunk.pkg opens.
2. In the Finder window, double-click on splunk.pkg.
The Splunk installer opens and displays the Introduction, which lists version and
copyright information.
3. Click Continue.
The Select a Destination window opens.
4. Choose a location to install Splunk.
To install in the default directory, /Applications/splunk, click on the
harddrive icon.

To select a different location, click Choose Folder...
5. Click Continue.
The pre-installation summary displays. If you need to make changes,
Click Change Install Location to choose a new folder, or
Click Back to go back a step.
6. Click Install.
Your installation will begin. It might take a few minutes.
7. When your install completes, click Finish. The installer places a shortcut on
the Desktop.
72
Command line install
Use the following instructions to install from a Terminal window.
Important: To install Splunk on Mac OS X from the command line, you must
use the root user, or elevate privileges using the sudo command. If you use
sudo, your account must be an Admin-level account.
1. To mount the dmg:
sudo hdid splunk_package_name.dmg
The Finder mounts the disk image onto the desktop. The image is available
under /Volumes/SplunkForwarder <version> (note the space).
2. To Install
To the root volume:
cd /Volumes/SplunkForwarder\ <version>
sudo installer -pkg .payload/splunk.pkg -target /
Note: There is a space in the disk image's name. Use a backslash to escape the
space or wrap the disk image name in quotes.
To a different disk of partition:
cd /Volumes/SplunkForwarder\ <version>
sudo installer -pkg .payload/splunk.pkg -target /Volumes\ Disk
Note: There is a space in the disk image's name. Use a backslash to escape the
space or wrap the disk image name in quotes.
-target specifies a target volume, such as another disk, where Splunk will be
installed in /Applications/splunk.
To install into a directory other than /Applications/splunk on any volume, use
the graphical installer as described above.
73
tar file install
To install Splunk Enterprise on Mac OS X, expand the tar file into an appropriate
directory using the tar command:
tar xvzf splunk_package_name.tgz
The default install directory is splunk in the current working directory. To install
into /Applications/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /Applications
Note: When you install Splunk Enterprise with a tar file:
Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually before
installing.

Ensure that the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify.
Start Splunk from the Finder
To start Splunk from the Finder, double-click the Splunk icon on the Desktop to
launch the Splunk helper application, entitled "Splunk's Little Helper".
Note: The first time you run the helper application, it notifies you that it needs to
perform a brief initialization. Click OK to allow Splunk to initialize and set up the
trial license.
Once the helper application loads, it displays a dialog that offers several choices:
Start and Show Splunk: This option starts Splunk and directs your web
browser to open a page to Splunk Web.

Only Start Splunk: This choice starts Splunk, but does not open Splunk
Web in a browser.

74
Cancel: Tells the helper application to quit. This does not affect the
Splunk instance itself, only the helper application.

Once you make your choice, the Splunk helper application performs the
requested application and terminates. You can run the helper application again to
either show Splunk Web or stop Splunk.
The Splunk helper application can also be used to stop Splunk if it is already
running.
Start Splunk from the command line
To start Splunk Enterprise from the command line interface, run the following
command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the
directory into which you installed Splunk):
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port
hostname is the host machine.
port is the port you specified during the installation (the default port is
8000).

75
2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
Install on FreeBSD
Splunk Enterprise for FreeBSD comes in two forms: an installer (5.4-intel) and a
tar file (i386). Both are gzipped tar (.tgz) files.
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Prerequisites
For FreeBSD 8, Splunk Enterprise requires compatibility packages. To install the
compatibility package:
1. Install the port:
portsnap fetch update
cd /usr/ports/misc/compat7x/ && make install clean
2. Add the package:
pkg_add -r compat7x-amd64
Basic install
To install Splunk Enterprise for FreeBSD using the intel installer:
76
pkg_add splunk_package_name-6.1-intel.tgz
Important: This installs Splunk in the default directory, /opt/splunk. If /opt does
not exist, you will need to create it prior to running the install command. If you
don't, you might receive an error message. Splunk recommends that you create
a symbolic link to another filesystem and install Splunk there, because FreeBSD
best practices maintain a small root ("/") filesystem.
To install Splunk Enterprise in a different directory:
pkg_add -v -p /usr/splunk splunk_package_name-6.1-intel.tgz
The FreeBSD package system does not have native upgrade support. There are
some add-on utilities which try to manage it, but this is not explicitly tested. To
upgrade a package on FreeBSD you can either uninstall the prior package, and
install the new package, or you can upgrade the existing installation using a tar
file install as below.
tar file install
To install Splunk Enterprise on a FreeBSD system with a tar file, expand the file
into an appropriate directory using the tar command:
tar xvzf splunk_package_name.tgz
The default install directory is splunk in the current working directory. To install
into /opt/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /opt
Note: When you install Splunk Enterprise with a tar file:
Some non-GNU versions of tar might not have the -C argument available.
In this case, if you want to install in /opt/splunk, either cd to /opt or place
the tar file in /opt before running the tar command. This method will work
for any accessible directory on your machine's filesystem.

Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually before
installing.

77
Ensure that the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

After you install
To ensure that Splunk Enterprise functions properly on FreeBSD, you must:
1. Add the following to /boot/loader.conf
kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB
machdep.hlt_cpus=0
2. Add the following to /etc/sysctl.conf:
vm.max_proc_mmap=2147483647
You must restart FreeBSD for the changes to effect.
If your server has less than 2 GB of memory, reduce the values accordingly.
What gets installed
To see the list of Splunk Enterprise packages:
pkg_info -L splunk
To list all packages:
pkg_info
Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify.
To start Splunk from the command line interface, run the following command
from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into
which you installed Splunk):
78
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port
hostname is the host machine.
port is the port you specified during the installation (the default port is
8000).

2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
79
Install on AIX
You can install Splunk Enterprise on AIX using a tar file.
Important: The user Splunk is installed as must have permission to read
/dev/urando and /dev/random or the installation will fail.
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Install Splunk
The AIX install comes in tar file form.
When you install with the tar file:
Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually.

Be sure the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

We recommend you use GNU tar to unpack the tar files, as AIX tar can fail
to unpack long file names, fail to overwrite files, and other problems. If you
must use the system tar, be sure to check the output for error messages.

To install Splunk Enterprise on an AIX system, expand the tar file into an
appropriate directory. The default install directory is /opt/splunk.
For AIX 5.3, check to make sure your service packs are up to date. Splunk
Enterprise requires the following service level:
$ oslevel -r
5300-005
Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify. Refer to the instructions for running Splunk as a
non-root user for more information.
80
To start Splunk Enterprise from the command line interface, run the following
command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the
directory into which you installed Splunk):
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Note: The AIX version of Splunk does not register itself to auto-start on reboot.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
For more information, refer to "Splunk startup options" in this manual.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port
hostname is the host machine.
port is the port you specified during the installation (the default port is
8000).

2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
81
What's next?
Now that you've installed Splunk Enterprise, what comes next?
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
Install on HP-UX
You can install Splunk Enterprise on HP/UX using a tar file.
To install Splunk on an HP-UX system, expand the tar file, using GNU tar, into an
appropriate directory. The default install directory is /opt/splunk.
NOTE: The system default tar on HP-UX will not successfully extract the splunk
tar. GNU tar is a pre-requisite, or you can unpack the tar on another platform.
When you install with the tar file:
Splunk does not create the splunk user automatically. If you want Splunk
to run as a specific user, you must create the user manually.

Be sure the disk partition has enough space to hold the uncompressed
volume of the data you plan to keep indexed.

Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and
migration considerations before proceeding.
Start Splunk
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify.
To start Splunk Enterprise from the command line interface, run the following
command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the
directory into which you installed Splunk):
82
./splunk start
By convention, this document uses:
$SPLUNK_HOME to identify the path to your Splunk installation.
$SPLUNK_HOME/bin/ to indicate the location of the command line interface.
Note: The HP-UX version of Splunk does not register itself to auto-start on
reboot.
Startup options
The first time you start Splunk Enterprise after a new installation, you must
accept the license agreement. To start Splunk and accept the license in one
step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license option.
Launch Splunk Web and log in
After you start Splunk Enterprise and accept the license agreement,
1. In a browser window, access Splunk Web at http://<hostname>:port
hostname is the host machine.
port is the port you specified during the installation (the default port is
8000).

2. Splunk Web prompts you for login information (default, username admin and
password changeme) before it launches. If you switch to Splunk Free, you will
bypass this logon page in future sessions.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
83
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in
this manual.
Run Splunk Enterprise as a different or non-root
user
Important: This topic is for non-Windows operating systems only. To learn how
to install Splunk Enterprise on Windows using a user, read "Choose the user
Splunk Enterprise should run as" in this manual.
You can run Splunk Enterprise as any user on the local system. If you run Splunk
as a non-root user, make sure Splunk has the appropriate permissions to:
Read the files and directories it is configured to watch. Some log files and
directories may require root or superuser access to be indexed.

Write to the Splunk directory and execute any scripts configured to work
with your alerts or scripted input.

Bind to the network ports it is listening on (ports below 1024 are reserved
ports that only root can bind to).

Note: Because ports below 1024 are reserved for root access only, Splunk can
only listen on port 514 (the default listening port for syslog) if it is running as root.
You can, however, install another utility (such as syslog-ng) to write your syslog
data to a file and have Splunk monitor that file instead.
Instructions
To run Splunk Enterprise as a non-root user, you need to first install Splunk as
root. Then, before you start Splunk for the first time, change the ownership of
the splunk directory to the desired user. The following are instructions to install
Splunk and run it as a non-root user, splunk.
Note: In the following examples, $SPLUNK_HOME represents the path to the Splunk
installation directory.
1. Create the user and group, splunk.
For Linux, Solaris, and FreeBSD:
84
useradd splunk
groupadd splunk
For Mac OS:
You can use the System Preferences > Accounts panel to add users and
groups.
2. As root and using one of the packages (not a tar file), run the installation.
Important: Do not start Splunk yet.
3. Use the chown command to change the ownership of the splunk directory and
everything under it to the desired user.
chown -R splunk $SPLUNK_HOME
Note: You might also need to change the group ownership for files in the Splunk
directory. If your system's chown binary does not support changing group
ownership of files, you can use the chgrp command to do so. Refer to your
system's man pages for additional information.
4. Start Splunk.
$SPLUNK_HOME/bin/splunk start
Also, if you want to start Splunk as the splunk user while you are logged in as a
different user, you can use the sudo command:
sudo -H -u splunk $SPLUNK_HOME/bin/splunk start
This example command assumes:
If Splunk is installed in an alternate location, update the path in the
command accordingly.

Your system may not have sudo installed. If this is the case, you can use
su.

If you are installing using a tar file and want Splunk to run as a particular
user (such as splunk), you must create that user manually.

The splunk user will need access to /dev/urandom to generate the certs
85
for the product.
Solaris 10 privileges
When installing Splunk Enterprise on Solaris 10 as the splunk user, you must set
additional privileges to start splunkd and bind to reserved ports.
To start splunkd as the splunk user on Solaris 10, run:
# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk
To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):
# usermod -K defaultpriv=basic,net_privaddr splunk
86
Start using Splunk Enterprise
Start Splunk for the first time
Important security tip
Before you begin using your new Splunk Enterprise upgrade or installation, you
should take a few moments to make sure that Splunk and your data are secure.
For more information, read "Hardening Standards" in the Securing Splunk
manual.
To start Splunk Enterprise:
On Windows
You can start Splunk on Windows using either the command line, or the
Windows Services Manager. Using the command line offers more options,
described later in this section. In a cmd window, go to C:\Program
Files\Splunk\bin and type:
splunk start
(For Windows users: in subsequent examples and information, replace
$SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in the
default location. You can also add %SPLUNK_HOME% as a system-wide environment
variable by using the System Properties dialog's Advanced tab.)
On UNIX
Use the Splunk command-line interface (CLI):
$SPLUNK_HOME/bin/splunk start
Splunk then displays the license agreement and prompts you to accept before
the startup sequence continues.
On Mac OS X
Splunk Enterprise can run as any user on the local system. If you run Splunk as
a non-root user, make sure that Splunk has the appropriate permissions to read
the inputs that you specify.
87
Start Splunk Enterprise from the Finder
To start Splunk from the Finder, double-click the Splunk icon on the Desktop to
launch the Splunk helper application, entitled "Splunk's Little Helper".
Note: The first time you run the helper application, it notifies you that it needs to
perform a brief initialization. Click OK to allow Splunk to initialize and set up the
trial license.
Once the helper application loads, it displays a dialog that offers several choices:
Start and Show Splunk: This option starts Splunk and directs your web
browser to open a page to Splunk Web.

Only Start Splunk: This choice starts Splunk, but does not open Splunk
Web in a browser.

Cancel: Tells the helper application to quit. This does not affect the
Splunk instance itself, only the helper application.

Once you make your choice, the Splunk helper application performs the
requested application and terminates. You can run the helper application again to
either show Splunk Web or stop Splunk.
The Splunk helper application can also be used to stop Splunk if it is already
running.
Start Splunk Enterprise from the command line
To start Splunk from the command line interface, run the following command
from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into
which you installed Splunk, by default /Applications/splunk):
./splunk start
Other start options
To accept the license automatically when you start Splunk for the first time, add
the accept-license option to the start command:
$SPLUNK_HOME/bin/splunk start --accept-license
The startup sequence displays:
88
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Verifying configuration. This may take a while...
Finished verifying configuration.
Checking index directory...
Verifying databases...
Verified databases: _audit, _blocksignature, _internal, _thefishbucket,
history, main, sampledata, splunklogger, summary
Checking index files
All index checks passed.
All preliminary checks passed.
Starting splunkd...
Starting splunkweb...
Splunk Server started.
The Splunk web interface is at http://<hostname>:8000
Note: If the default ports are already in use (or are otherwise not available),
Splunk will offer to use the next available port. You can either accept this option
or specify a port for Splunk to use.
There are two other start options: no-prompt and answer-yes:
If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk proceeds
with startup until it requires you to answer a question. Then, it displays the
question, why it is quitting, and quits.

If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk proceeds
with startup and automatically answers "yes" to all yes/no questions.
Splunk displays the question and answer as it continues.

If you run start with all three options in one line, for example:
$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license
Splunk does not ask you to accept the license.
Splunk answers yes to any yes/no question.
Splunk quits when it encounters a non-yes/no question.
Start and disable individual processes
You can start and stop individual Splunk Enterprise processes by adding the
process as an object to the start command. The objects include:
splunkd, the Splunk server daemon.
89
splunkweb, Splunk's Web interface process.
For example, to start only splunkd:
$SPLUNK_HOME/bin/splunk start splunkd
To disable splunkweb:
$SPLUNK_HOME/bin/splunk disable webserver
For more information about start, refer to the CLI help page:
$SPLUNK_HOME/bin/splunk help start
Launch Splunk Web
Navigate to:
http://mysplunkhost:8000
Use whatever host and port you chose during installation.
The first time you log in to Splunk Enterprise, the default login details are:
Username - admin
Password - changeme
Splunk Free does not have access controls.
What happens next?
Now that you've got Splunk Enterprise installed on one server, here are some
links to get you started:
Learn what Splunk Enterprise is, what it does, and how it's different.
Learn how to add your data to Splunk.
Add and manage users.
Estimate how much space you will need to store your Splunk data.
Plan your Splunk Enterprise deployment, from gigabytes to terabytes per
day.

90
Learn how to search, monitor, report, and more.
One big way that Splunk Enterprise differs from traditional technologies is
that it classifies and interprets data at search-time. Learn what this
means and how to use it.

If you downloaded Splunk Enterprise packaged with an app (for example, Splunk
+ WebSphere), go to Splunk Web and select the app in Launcher to go directly to
the app?s setup page. To see more information about the setup and deployment
for a packaged app, search for the app name on Splunkbase.
Learn about Splunk's accessibility
Splunk is dedicated to maintaining and enhancing its accessibility and usability
for users of assistive technology (AT), both in accordance with Section 508 of the
United States Rehabilitation Act of 1973, and in terms of best usability practices.
This topic discusses how Splunk addresses accessibility within the product for
users of AT.
Accessibility of Splunk Web and the CLI
The Splunk Enterprise command line interface (CLI) is fully accessible, and
includes a superset of the functions available in Splunk Web. The CLI is
designed for usability for all users, regardless of accessibility needs, and Splunk
therefore recommends the CLI for users of AT (specifically users with low or no
vision, or mobility restrictions).
Splunk also understands that use of a GUI is occasionally preferred, even for
non-sighted users. As a result, Splunk Web is designed with the following
accessibility features:
Form fields and dialog boxes have on-screen indication of focus, as
supported by the Web browser.

No additional on-screen focus is implemented for links, buttons or other
elements that do not have browser-implemented visual focus.

Form fields are consistently and appropriately labeled, and ALT text
describes functional elements and images.

Splunk Web does not override user-defined style sheets.
Data visualizations in Splunk Web have underlying data available via
mouse-over or output as a data table, such that information conveyed with
color is available without color.

91
Most data tables implemented with HTML use headers and markup to
identify data as needed.

Data tables presented using Flash visually display headers. Underlying
data output in comma separated value (CSV) format have appropriate
headers to identify data.

Accessibility and real-time search
Splunk Web does not include any blinking or flashing components. However,
using real-time search causes the page to update. Real-time search is easily
disabled, either at the deployment or user/role level. For greatest ease and
usability, Splunk recommends the use of the CLI with real-time functionality
disabled for users of AT (specifically screen readers). Refer to "How to restrict
usage of real-time search" in the Search Manual for details on disabling real-time
search.
Keyboard navigation using Firefox and Mac OS X
To enable Tab key navigation in Firefox on Mac OS X, use system preferences
instead of browser preferences. To enable keyboard navigation:
1. In the menu bar, click [Apple icon]>System Preferences>Keyboard to open
the Keyboard preferences dialog.
2. In the Keyboard preferences dialog, click the Keyboard Shortcuts button at
the top.
3. Near the bottom of the dialog, where it says Full Keyboard Access, click the
All controls radio button.
4. Close the Keyboard preferences dialog.
5. If Firefox is already running, exit and restart the browser.
92
Install a Splunk Enterprise license
About Splunk licenses
Splunk takes in data from sources you designate and processes it so that you
can analyze it in Splunk. We call this process indexing. For information about
the indexing process, refer to "What Splunk does with your data" in the Getting
Data In Manual.
Splunk licenses specify how much data you can index per day.
For more information about Splunk licenses, begin by reading:
"How Splunk licensing works" in the Admin Manual.
"Types of Splunk licenses" in the Admin Manual.
"More about Splunk Free" in the Admin Manual.
Install a license
This topic discusses how to install a new license in Splunk Enterprise. Before you
proceed, you might want to review these topics on licensing:
Read "How Splunk licensing works" in the Admin Manual for an
introduction to Splunk licensing.

Read "Groups, stacks, pools, and other terminology" in the Admin Manual
for more information about Splunk license terms.

Add a new license
To add a new license:
1. Navigate to Settings > Licensing.
2. Click Add license.
93
3. Either click Choose file and navigate to your license file and select it, or click
copy & paste the license XML directly... and paste the text of your license file
into the provided field.
4. Click Install. If this is the first Enterprise license that you are installing, you
must restart Splunk. Your license is installed.
License violations
Violations occur when you exceed the maximum indexing volume allowed for
your license. If you exceed your licensed daily volume on any one calendar day,
you will get a violation warning. The message persists for 14 days. If you have 5
or more warnings on an Enterprise license or 3 warnings on a Free license
in a rolling 30-day period, you are in violation of your license and search
will be disabled. Search capabilities return when you have fewer than 5
(Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a
temporary reset license (available for Enterprise only). To obtain a reset license,
contact your sales rep.
Note: Summary indexing volume is not counted against your license.
If you get a violation warning, you have until midnight (going by the time on the
license master) to resolve it before it counts against the total number of warnings
within the rolling 30-day period.
During a license violation period:
94
Splunk Enterprise does not stop indexing your data. Splunk only blocks
search while you exceed your license.

Searches to the _internal index are not disabled. This means that you
can still access the Indexing Status dashboard or run searches against
_internal to diagnose the licensing problem.

Got license violations? Read "About license violations" in the Admin Manual or
"Troubleshooting indexed data volume" from the Splunk Community Wiki.
More licensing information is available in the "Manage Splunk licenses" chapter
in the Admin Manual.
95
Upgrade or migrate Splunk Enterprise
How to upgrade Splunk
This topic discusses how to upgrade Splunk Enterprise and its components from
one version to another.
In many cases, you upgrade Splunk by installing the latest package over your
existing installation. On Windows systems, the installer package detects the
version that you have installed and offers to upgrade it for you.
Note: When upgrading Splunk Enterprise, do so with an administrative-level user
account.
What's new and awesome in 6.0?
Read "Meet Splunk Enterprise 6" in the Release Notes for a full list of the new
features we've delivered in 6.0.
Review the known issues in the Release Notes for a list of issues and
workarounds in this release.
Always back up your existing deployment first
Get into the habit of backing up your existing Splunk Enterprise deployment
before any upgrade or migration.
You can manage your risk by using technology that allows you to restore your
Splunk Enterprise install and data to a state prior to the upgrade, whether you
use external backups, disk or file system snapshots, or other means. When
backing up your Splunk data, consider the $SPLUNK_HOME directory, as well
as any indexes located outside of it.
For more information about backing up your Splunk Enterprise deployment, read
the topics "Back up configuration information" in the Admin Manual and "Back up
indexed data" in the Managing Indexers and Clusters Manual.
96
Choose the proper upgrade procedure based on your
environment
The way that you upgrade Splunk Enterprise differs based on whether you have
a single Splunk instance or multiple Splunk instances connected together. The
differences are significant if you have configured a cluster of Splunk instances.
Upgrade distributed environments
If you plan to upgrade a distributed Splunk Enterprise environment, read
"Upgrade your distributed environment" in the Distributed Deployment Manual.
Upgrade clustered environments
If you plan to upgrade a clustered Splunk environment, read "Upgrade your
clustered deployment" in the Managing Indexers and Clusters Manual. That topic
has upgrade instructions that supersede the instructions in this manual.
Important: All nodes of a clustered Splunk Enterprise environment must run the
same version of Splunk. If you plan to upgrade your clustered environment, you
must upgrade all nodes (including search heads, master nodes, and peer nodes)
in the cluster at the same time.
Then, read about important migration information before
upgrading
Important: Before upgrading, be sure to read "About upgrading to 6.0: READ
THIS FIRST" for specific migration tips and information that might affect you.
Upgrade from 5.0 and later
Splunk supports a direct upgrade from versions 5.0 and later to version 6.0.
If you're upgrading from 5.0 or later, read the rest of this topic first before
proceeding with the installation instructions linked below.
Upgrade to 6.0 on Linux, Solaris, FreeBSD, HP-UX, AIX, and MacOS
Upgrade to 6.0 on Windows
97
Upgrade from 4.3
Splunk also supports a direct upgrade from version 4.3 and later to version 6.0.
Upgrading directly to 6.0 from versions older than 4.3 is not officially supported. If
you are running a version of Splunk earlier than 4.3, then you should upgrade to
4.3 first before attempting an upgrade to 6.0. Read "About upgrading to 4.3
READ THIS FIRST" for specific details on how to upgrade to version 4.3.
Upgrade universal forwarders
Upgrading universal forwarders is a different process than upgrading full Splunk.
Before upgrading your universal forwarders, be sure to read the appropriate
upgrade topic for your operating system:
Upgrade the Windows universal forwarder
Upgrade the Unix universal forwarder
To learn about interoperability and compatibility between indexers and universal
forwarders, read "Indexer and universal forwarder compatibility" in the
Forwarding Data manual.
About Upgrading to 6.0 - READ THIS FIRST
This topic contains important information and tips about upgrading to version 6.0
from an earlier version. Read it before attempting to upgrade your Splunk
environment.
Important: Not all Splunk apps and add-ons are compatible with Splunk
Enterprise 6.0. If you are considering an upgrade to this release, please check
Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.0.
Upgrade clustered environments
If you plan to upgrade a Splunk cluster, read "Upgrade your clustered
deployment" in the Managing Indexers and Clusters Manual. The instructions in
that topic supersede the upgrade material in this manual.
Important: All nodes of a clustered Splunk environment must run the same
version of Splunk. If you plan to upgrade your clustered environment, you must
upgrade all nodes (including search heads, master nodes, and peer nodes) in the
98
cluster at the same time.
Upgrade paths
Splunk Enterprise supports the following upgrade paths to Version 6.0 of the
software:
From version 5.0 or later to 6.0.x
From version 4.3 or later directly to 6.0.x
From version 4.3 or later to 5.0, and then from version 5.0 or later to 6.0.x
If you run a version of Splunk prior to 4.3, upgrade to 4.3 first, then upgrade to
6.0. Read "About upgrading to 4.3 - READ THIS FIRST" for tips on migrating
your instance to version 4.3.
You want to know this stuff
Upgrading to 6.0 from 4.3 and later is pretty simple, but here are a few things you
should be aware of when installing the new version:
We have changed the Splunk Enterprise user interface...significantly
One of the biggest and most important things that you will notice after you
upgrade to version 6.0 is the new user interface. We have transformed how you
access Splunk through Splunk Web. To that end, the way you do things in
Splunk Web on version 6 has changed from how you would do things in previous
versions of the product.
For a list of some of the things that have changed in Splunk Web, read
"How Splunk Web procedures have changed from version 5 to version 6"
in this manual.

For an introduction on how to access Splunk Web using the new interface,
check out the updated Splunk Search Tutorial.

We have changed a number of the Splunk terms that you've come to know
Along with a changed user interface, we've also changed a number of the terms
you've been used to when using Splunk. Here's a list of some of them:
Manager, Splunk's main configuration interface, is now known as
Settings.

Launcher, the initial menu you see when you run Splunk, is now known as
Home.

99
Saved searches are now known as reports.
A saved search with an alert is now known as an alert.
"TSIDX stats" are now known as indexed field statistics.
We have changed some application development parameters and
procedures
If you develop any type of Splunk app, be sure to read "Changes for Splunk app
developers" to find out how to build or migrate your existing apps to work
properly with version 6.
Other notable changes
We have changed the handling of some of the deployment server's
serverclass.conf attributes
We've changed how whitelists and machine type filters get handled in
serverclass.conf.
Back in version 4.3, we introduced a new attribute called machineTypesFilter.
This attribute deprecated the similar machineTypes attribute. When you upgrade,
Splunk Enterprise replaces machineTypes entries in serverclass.conf with
machineTypesFilter.
Additionally, when using serverclass.conf, you must now specify either a
whitelist or a blacklist in every stanza by using the whitelist.<n> or
blacklist.<n> attributes.
If you use the new forwarder management feature for the deployment server,
avoid using deployment server settings that are incompatible with Forwarder
Management.
Note: A deployment server cannot be a client of itself.
We have increased the default amount of required available disk space for
indexing and searching
Prior to version 6.0, the default amount of free space Splunk needed to index and
search was 2 gigabytes. When you upgrade, Splunk raises this default
requirement to 5 gigabytes. Before you upgrade, make sure you have enough
free space on the volume(s) that contain Splunk indexes and search dispatch
directories to ensure uninterrupted index and search operation.
100
Splunk no longer uses CHECK_FOR_HEADER for field extraction from
structured data files
The deprecated CHECK_FOR_HEADER attribute in props.conf will no longer function
for any new sourcetypes defined for structured data extraction. This means that,
when you upgrade, attempts to use CHECK_FOR_HEADER will result in Splunk
logging an error and disabling the associated definition.
This change does not impact structured data definitions created prior to the
upgrade - those definitions will continue to work with the CHECK_FOR_HEADER
attribute.
For information on Splunk's new structured data field extraction capabilities, read
"Extract data from files with headers" in the Getting Data In Manual.
We have reduced the maximum real-time search multiplier attribute in
limits.conf
We have reduced how many real-time searches a Splunk system can run by
default.
In Splunk version 5.x, you used to be able to run a number of searches equal to
the following formula, based on attributes from limits.conf:
Number of CPU cores * max_searches_per_cpu + base_max_searches *
max_rt_search_multiplier
The max_rt_search_multiplier attribute's default value was 3. When you
upgrade, Splunk reduces the default value to 1. This means that your real-time
search capacity will be effectively reduced by 66% unless you reset this attribute
by editing a copy of limits.conf after the upgrade.
We have extended the _internal index's retention period
In an effort to provide better statistics on license usage, we have extended the
retention period of the _internal index from 28 days to 30 days. When you
upgrade, you might notice that Splunk uses up to an additional 7 percent of
available disk space on the server which hosts that index.
The "Results Display Option" dialog for search queries does not retain
changes through an upgrade
If you make changes to the results display options for a given search query in
version 5.x, Splunk does not retain those choices through an upgrade. You must
101
make those changes again after the upgrade is complete.
Some upgraded dashboards display visible axis titles where they did not
before
When you upgrade, some dashboards will display visible axis titles which did not
exist prior to the upgrade. To address the issue, use the visualizations editor to
remove the titles.
View states do not persist during the upgrade
If you make a change to a view state (such as adjusting the number of items to
show per page in the flash timeline) and then upgrade Splunk, Splunk does not
preserve the view state through the upgrade, and the default view loads when
you use the upgraded version.
This is because Splunk assigns each view state a module ID, which changes
when you modify the view state's XML (by modifying the view).
To manage view states after upgrading, edit ui-prefs.conf.
We have changed how you set the default search time range
Prior to version 6, you could set the default search time range by selecting the
desired entry in the flash timeline. Once you upgrade, you must use a
configuration file, ui-prefs.conf, to set these default time ranges. Selecting the
time range in the time range picker in a view will no longer have any affect.
To learn how to use this file to set time ranges, read "Change the default
selected time range" in the Search Manual.
The configuration location for globally unique identifiers (GUIDs) has
changed
We have changed the location for the configuration of GUIDs for Splunk
instances. In Splunk 6.0, instead of setting the GUID in server.conf, you must
now set it in instance.cfg.
In props.conf, the initCrcLength attribute is now valid for sourcetype
stanzas
Prior to Splunk 6.0, you could only use the initCrcLength attribute in a
[source::<source>] stanza type. Now, you can use this attribute in any
102
[<sourcetype>] stanzas as well.
Notable changes for those upgrading directly from version 4.3
to version 6
We have changed how Splunk handles invalid regular expressions in
monitoring stanza filters
For versions 5.0.3 and later of Splunk, including version 6.0, we've changed how
Splunk deals with improperly formatted regular expressions in monitoring stanza
filter attributes in inputs.conf.
If you supply an invalid regular expression for a filter attribute (for example,
whitelist or blacklist) in a monitoring stanza, Splunk now ignores the entire
stanza as being invalid, instead of ignoring only the filter attribute with the invalid
regular expression. This means that Splunk will not monitor whatever data that
stanza references until you fix the error and restart Splunk. Here's an example:
[monitor:///a/directory]
whitelist = unclosed[class
This stanza is invalid because the whitelist attribute has an invalid value
assigned to it (the "unclosed[class" regular expression is missing the right
bracket (])).
In version 5.0.2 and earlier, including version 4.3, Splunk monitors the files in
/a/directory while ignoring the whitelist attribute.
TailingProcessor - Ignoring regular expression 'your_regex' in stanza
'your_stanza' due to 'error_message'.
In version 5.0.3 and later, Splunk ignores the [monitor:///a/directory] stanza,
logs an error in splunkd.log, and does not monitor the files in /a/directory:
TailingProcessor - Invalid regular expression: 'your_regex' in stanza
'your_stanza' due to: error_message, ignoring this stanza.
When you upgrade, Splunk warns you of any invalid regular expressions it
detects, and prompts you to fix them before attempting to complete the migration.
To prevent this warning from occurring, check inputs.conf to ensure that all your
monitoring stanzas have valid values before starting the upgrade.
Note: This change was originally introduced in Splunk 5.0.2, but we include it
here for users who plan to upgrade directly from version 4.3 to version 6.0.
103
We have deprecated the fschange monitor
We have deprecated the fschange monitor input. This means that although it
continues to function in version 6.0 of Splunk, it might be removed in a future
version. As an alternative, you can:
Learn how to monitor file system changes on Windows systems.
Use the auditd daemon on *nix systems and monitor output from the
daemon.

Note: This change was originally introduced in Splunk 5.0, but we include it here
for users who plan to upgrade directly from version 4.3 to version 6.0.
Forwarding method now defaults to auto-loadbalancing
Splunk 6.0 now makes auto-load balancing the default method of forwarding data
to multiple indexers at one time.
Note: This change was originally introduced in Splunk 5.0, but we include it here
for users who plan to upgrade directly from version 4.3 to version 6.0.
Splunk now offers integrated PDF printing
With version 6.0 of Splunk comes integrated PDF printing. This means that PDF
printing no longer requires a Linux Splunk instance.
There are some things to pay attention to when upgrading, however - particularly
with regards to views that contain Advanced XML. Additional information can be
found in "Generate PDFs of your reports and dashboards" in the new Reporting
Manual.
Note: This feature was originally introduced in Splunk 5.0, but we include it here
for users who plan to upgrade directly from version 4.3 to version 6.0.
Splunk uses more *nix file descriptors
Splunk 6.0 uses more file descriptors on *nix filesystems than version 4.3 did
when monitoring files.
Before you upgrade, consider increasing the number of open file descriptors your
system can use with the ulimit command.
104
Note: This change was originally introduced in Splunk 5.0, but we include it here
for users who plan to upgrade directly from version 4.3 to version 6.0.
Splunk's database-checking utility might use more resources
After you upgrade to 6.0, Splunk's database consistency checking utility (fsck)
might use more system resources (in particular, disk I/O) when they run,
particularly if bloom filters are being created at the same time.
Note: This change was originally introduced in Splunk 5.0, but we include it here
for users who plan to upgrade directly from version 4.3 to version 6.0.
Windows-specific changes
The Windows Event Log input is now modular and has additional filtering
capabilities
The Windows event log input gets two new improvements:
The input, which until now had its own input processor, is now modular.
This helps increase its efficiency and removes the limit of 64 concurrent
Event Log channels. Since the Windows Event Log input already uses
inputs.conf, there should be no impact to your configuration by this
change. However, we suggest that you review any .conf files post-upgrade
as a precautionary measure.

Additionally, the input receives several new attributes which allow you to
filter events based on their Windows Event IDs and suppress event log
text.

There are also certain situations where, if you use a deployment server to control
configurations, some versions of universal forwarder might collect duplicate
events. See "Upgrade deployment servers and installed apps that use 6.0
stanzas might generate duplicate events" below for additional information.
Upgraded deployment servers and installed apps that use 6.0 stanzas
might generate duplicate events
In order to maintain interoperability, Splunk does not remove an old-style
Windows Event Log stanza during an upgrade to version 6. Instead, it notifies
you that you need to remove them yourself manually.
105
This is particularly important for deployment servers or universal forwarders that
host apps that use 6.0 style configuration file stanzas. When you upgrade, if you
do not remove the old-style stanzas, Splunk might generate duplicate events.
Splunk on Windows introduces three new inputs: Host, printer, and
network monitoring
New for version 6.0, Splunk introduces three new Windows-only modular inputs:
Host monitoring, print monitoring, and network monitoring.
Host monitoring allows you to collect information about a Windows system,
including operating system build and version, system architecture and memory,
running processes and services, and installed applications.
Print monitoring lets you gather information on your printer subsystem, including
installed printers, print drivers and ports, and also allows you to check print jobs.
Network monitoring lets you collect information on the configuration and status of
the networking subsystem on Windows computers.
For additional information on these three new inputs, read the following topics in
the Getting Data In Manual:
Monitor Windows host information
Monitor Windows print subsystem information
Monitor Windows network information
Windows users now have a file monitoring input that does not use file
handles
On Windows instances of Splunk only, a new file monitoring input,
MonitorNoHandle allows users to monitor files without using system file handles.
This addresses problems with cases where a file handle prevents a file from
being closed properly, such as what occurs with Microsoft's DNS server logs
when the DNS server attempts to roll them.
The MonitorNoHandle input is only accessible by editing inputs.conf. You cannot
enable this input with Splunk Web.
The Windows Registry and Active Directory inputs are now modular
In our ongoing efforts to streamline configuration files, we have made the
Windows Registry monitor and Active Directory inputs modular. This means that,
106
among other things, instead of using separate configuration files, these inputs
now use inputs.conf for configuration. When you upgrade, settings will get
migrated from the existing configuration files to inputs.conf.
Splunk will migrate the following files during the upgrade:
Registry monitoring: regmon-filters.conf
Active Directory: admon.conf
What happens after you upgrade:
Registry monitoring stanzas will appear in inputs.conf as
[WinRegMon://<stanza name>].

Active Directory stanzas will appear in inputs.conf as [admon://<stanza
name>].

Be sure to review the updates to inputs.conf after the upgrade is complete.
Active Directory monitoring time formats have changed
The time stamp format that Splunk's Active Directory monitoring input logs in has
changed. In Splunk 6.0 and later, AD monitoring inputs log events as follows:
pwdLastSet=07:03.12 pm, Mon 04/30/2012
If you use Active Directory monitoring inputs, you might be impacted by this
change after you upgrade, particularly if you have configured alerts that rely on
the old time stamp format.
No support for enabling Federal Information Processing Standards (FIPS)
after an upgrade
There is no supported upgrade path from a Splunk 5.x system with enabled
Secure Sockets Layer (SSL) certificates to a Splunk 6.0 system with FIPS
enabled.
How Splunk Web procedures have changed from
version 5 to version 6
This topic lists some of the major differences in the way you accomplish tasks in
Splunk Web from previous versions to version 6.
107
What's changed?
The table below shows the major differences in Splunk Web process from
previous versions of Splunk to version 6.
Procedure/Task How you used to do it How you do it now
First time login to
Splunk
In 5.x, the Splunk launcher
has two tabs: Welcome
and Splunk Home. In
Welcome, you can Add
data and Launch search
app.
In 6.x, Splunk launches
with Home. In Home, you
can access Apps directly,
Add data, or access the
Manage data page.
Returning to Home
In 5.x, to return to
Home/Welcome you
selected the Home app
from the App menu.
In 6.x, you click the Splunk
logo in the upper left of the
navigation bar. Doing so
always returns you to
Home.
Edit account information
In 5.x you accessed your
account information
(change full name, email
address, default app,
timezone, password)
under Manager > Users
and authentication > Your
account.
In 6.x, you access it
directly from the Splunk
navigation under
Administrator > Edit
account.
Logout from Splunk
In 5.x, you clicked the
"Logout" button on the
navigation bar.
In 6.x, you select
"Administrator" > Logout.
(If you are not logged in as
Administrator, Splunk
displays the full name of
the logged in user. Click
this name to bring up the
"Logout" menu option)
Manager/Settings
In 5.x, you edited all
objects and system
configurations from the
Manager page or from the
"Administrator" link on the
navigation bar.
In 6.x, you access these
configurations directly
from the Settings menu.
There is no separate
Manager page.
108
Manage Apps: Edit
permissions for installed
apps, create a new app,
or browse Splunkbase
for community apps
In 5.x, you used Manager
-> Apps or selected from
the App menu.
In 6.x, you use the App
menu on the navigation
bar or the options under
the App panel from Home.
Search/? 5.x -> 6.x Summary, Search Search
Searches & Reports Reports
Dashboards & Views Dashboards
Find the list of alerts
In the navigation bar, you
selected "Alerts".
In the navigation bar, you
select "Triggered Alerts"
Find the timeline
In 5.x, the timeline was
always visible as part of
the dashboard after you
ran a search. You can
hide the timeline.
In 6.x, you can only view
the timeline if you're
looking at the Events tab
after you run a search.
Changes for Splunk App developers
If you develop apps for Splunk, read this topic to find out what changes we've
made to how Splunk works with apps in version 6.0, and how to migrate any
existing apps to work with the new version.
We have removed support for FlashCharts in simple XML
dashboards
We no longer support using FlashCharts in simple XML dashboards. This change
provides a more consistent dashboard user experience for iOS devices and
when users need to create PDFs. When users upgrade to version 6 of Splunk:
Splunk will silently ignore any charting options that previously triggered the
rendering of FlashCharts.

No actionable requirement here, but note that Splunk might render some
charts differently in version 6.0 as a result.

We no longer support viewstates in simple XML
We have removed Splunk's capability to support view states in simple XML. This
means that, when users upgrade:
109
Any chart options that were saved in viewstates will no longer be layered
in dashboard rendering.

Users will need to manually migrate these chart options to the simple XML
view configuration.

In addition, dynamic chart resizing no longer persists beyond the page
view.

Users that are interested in persistence should save this in simple XML
(<option name=height>300px</option>)

We no longer allow Splunk's Search page to be restyled
The new Search page in Splunk 6.0 can no longer be customized, as it does not
load any custom JavaScript or CSS.
We have added restrictions to how you can style the AppBar
For consistency between apps, Splunk 6.0 now constrains AppBar customization
to:
color
To set a color in the AppBar, edit the navigation menu default.xml (for
example, <nav color="#0072C6">).
logo
If no logo file is found, the app name is displayed instead.
We have made changes to support for custom JavaScript and
CSS
Version 6 of Splunk gets a refactored rendering engine, and as a result, many of
the function calls that the application.js and application.css files use no
longer work after users upgrade.
For app backward compatibility, in Splunk 6, simple XML dashboards no
longer load application.js and application.css automatically.

Instead, simple XML dashboards in Splunk 6 load dashboard.js and
dashboard.css automatically.

You can control the loading of specific JavaScript and CSS files within the
configuration of each simple XML dashboard. You control this using the
top-level attributes (<dashboard script=my_script.js
stylesheet=my_stylesheet.css>).

This design approach allows you to use application.js and
application.css for previous versions of Splunk, as well as dashboard.js

110
and dashboard.css for Splunk 6.0 and later.
For security purposes, we now prohibit JavaScript within the
default.xml file for dashboard navigation menus
We no longer allow JavaScript to run in a dashboard's navigation menu. This
means that, when users upgrade:
Any app that has packaged the "Create new dashboard..." link within their
navigation menu (like the old search app) will find this to no longer work in
Splunk 6.0.

You should remove this from your default.xml configuration.
Splunk now has a new "search" view page
Splunk 6.0 introduces a new search page "search" as a replacement to the
existing Flash timeline. While the product still contains Flash timeline, you should
change all references to flashtimeline within an app to "search" instead.
This includes references within navigation menu's default.xml.
It also includes references within any dashboard views (mainly for
linkView options).

We have made new global pages available to add to your app
Splunk 6.0 provides easier access to reports, alerts, dashboards, and data
models packaged within your app. We provide this access through via new listing
pages for each of these objects (dashboards, reports, alerts, data_models).
To add these views, edit your navigation menu's default.xml.
We have added the ability to run search queries from the
Home page for your app
Splunk 6.0 enables end-users to run a search query from within the Home page,
and target specific apps. You can allow end-users to directly target your app by
configuring your app's navigation menu default.xml.
To do this, edit default.xml and add the target view (<nav
search_view="search">).
111
We have introduced "Data Models"
Splunk 6.0 introduces data models that you can package within your apps. To
add data models to your apps, package them within
$SPLUNK_HOME/etc/apps/<app_name>/default/data/models
We have made changes to how Splunk works with custom
HTML dashboards
Splunk 6.0 has added knowledge objects to be included in default.meta, and
now supports dashboard views written entirely in HTML (by leveraging the new
splunkjs library).
You can add custom HTML dashboards by packaging them within
$SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/html and referencing
them in default.meta with the object name [html].
We have added interval support for modular inputs
Prior to version 6, Splunk invoked any configured modular inputs when the
Splunk daemon started. In version 6, splunkd now checks the inputs at specific
intervals.
You can choose whether or not you want to refactor your script to use this
interval support.
We have changed where Splunk looks for the icon files
In versions of Splunk prior to 6.0, Splunk looked in
$SPLUNK_HOME/etc/apps/<your_app>/appserver/static. When users upgrade,
Splunk then looks in $SPLUNK_HOME/etc/apps/<your_app>/static.
We now require higher-resolution application logos and icons
In order to support displays with pixel density ratio of greater than 1:1 (as is the
case for systems like the MacBook Pro with Retina Display), you must now use
higher resolution icons and/or logos alongside the standard size icons and logos.
The file names for these higher-resolution icons and logos must be
appLogo_2x.png and appIcon_2x.png.

When packaging your application icons and logos, put them in
$SPLUNK_HOME/etc/apps/<app_name>/static.

112
Your application logo has the following additional specifications:
The background must be transparent.
Its width can vary, but:
Its height, with margins, must be no more than 40 pixels (80 pixels
for the high resolution version).

Within this 40-pixel limit, there must be a margin of at least 10
pixels on the top and bottom sides (20 pixels for the high resolution
version) which leaves a maximum of 20 pixels of height available
for your logo.

There is, however, some leeway to go into the margin area,
particularly if the logo has any bits that stick up or down or it's
particularly complex, square or round.


113
Upgrade to 6.0 on UNIX
This topic describes the procedure for upgrading your Splunk instance from
versions 4.3.x or 5.0.x or later to 6.0.
114
Before you upgrade
Make sure you've read this information before proceeding, as well as the
following:
Back your files up
Before you perform the upgrade, we strongly recommend that you back up all of
your files, including Splunk configurations, indexed data, and binaries. Splunk
does not provide a means of downgrading to previous versions; if you need to
revert to an older Splunk release, just reinstall it.
For information on backing up data, read "Back up indexed data" in the
Managing Indexers and Clusters Manual.
For information on backing up configurations, read "Back up configuration
information" in the Admin manual.
How upgrading works
After performing the installation of the new version, Splunk does not actually
make changes to your configuration until after you restart it. You can run the
migration preview utility at that time to see what will be changed before the files
are updated. If you choose to view the changes before proceeding, a file
containing the changes that the upgrade script proposes to make is written to
$SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>
Steps for upgrading
1. Execute the $SPLUNK_HOME/bin/splunk stop command.
Important: Make sure no other processes will start Splunk automatically (such
as Solaris SMF).
2. To upgrade and migrate from version 4.3.x and later, install the Splunk
package over your existing Splunk deployment:
If you are using a .tar file, expand it into the same directory with the same
ownership as your existing Splunk instance. This overwrites and replaces
matching files but does not remove unique files.
Note: AIX tar will fail to correctly overwrite files when run as a user
other than root. Use GNU tar (gtar) to avoid this problem.

115
If you are using a package manager, such as RPM, type rpm -U
splunk_package_name.rpm

If you are using a .dmg file (on Mac OS X), double-click it and follow the
instructions. Be sure to specify the same installation directory as your
existing installation.

3. Execute the $SPLUNK_HOME/bin/splunk start command.
The following output is displayed:
This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------
Splunk has detected an older version of Splunk installed on this
machine. To
finish upgrading to the new version, Splunk's installer will
automatically
update and alter your current configuration files. Deprecated
configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your
configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that
will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with
the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes?
[y/n]
4. Choose whether you want to run the migration preview script to see what
changes will be made to your existing configuration files, or proceed with the
migration and upgrade right away.
5. If you choose to view the expected changes, the script provides a list.
6. Once you've reviewed these changes and are ready to proceed with migration
and upgrade, run $SPLUNK_HOME/bin/splunk start again.
Note: You can complete Steps 3 to 5 in one line:
To accept the license and view the expected changes (answer 'n') before
continuing the upgrade:
116
$SPLUNK_HOME/bin/splunk start --accept-license --answer-no
To accept the license and begin the upgrade without viewing the changes
(answer 'y'):
$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes
Upgrade to 6.0 on Windows
This topic describes the procedure for upgrading your Windows Splunk instance
from versions 4.3.x or 5.0.x and later to 6.0. You can upgrade using the GUI
installer, or by running the msiexec utility on the command line as described in
"Install on Windows via the command line".
Before you upgrade
Make sure you've read this information before proceeding, as well as the
following:
Make sure you specify the same domain user
When upgrading, you must explicitly specify the same domain user that you
specified during first time install. If you do not specify the same user, Splunk will
default to using the Local System User. If you accidentally specify the wrong user
during your installation, use these instructions to switch to the correct user
before starting Splunk.
Don't change the ports
Splunk does not support changing the management port and/or the HTTP port
when upgrading.
Back your files up
Before you perform the upgrade, we strongly recommend that you back up all of
your files, including Splunk configurations, indexed data and binaries. Splunk
does not provide a means of downgrading to previous versions; if you need to
revert to an older Splunk release, just reinstall it.
117
For information on backing up data, read "Back up indexed data" in the
Managing Indexers and Clusters Manual.
For information on backing up configurations, read "Back up configuration
information" in the Admin manual.
Note: When you upgrade to Splunk 6.0 on Windows, the installer overwrites any
custom certificate authority (CA) certificates you have created in
%SPLUNK_HOME%\etc\auth. If you have custom CA files, make sure to back them
up before you upgrade. After the upgrade, you can copy them back into
%SPLUNK_HOME%\etc\auth to restore them. After you have restored the certificates,
restart Splunk.
Don't attempt to downgrade after you've upgraded
After you upgrade Splunk to version 6, if you need to downgrade, you must
uninstall version 6 of Splunk and then reinstall the previous version of Splunk that
you were using. Do not attempt to install over a Splunk 6 installation with an
installer from a previous version. Doing so can result in a corrupt instance and
data loss.
Upgrade using the GUI installer
1. Stop Splunk by either using the Services control panel or executing the
%SPLUNK_HOME%\bin\splunk stop command.
2. Download the new MSI file from the Splunk download page.
3. Double-click the MSI file. The Welcome panel is displayed. Follow the
on-screen instructions to upgrade Splunk. For information about each panel,
refer to the installation instructions.
4. Splunk will start up by default when you complete the installation.
A log of the changes made to your configuration files during the upgrade is
placed in %TEMP%.
Upgrade using the command line
1. Stop Splunk either by using the Services control panel or executing the
%SPLUNK_HOME%\bin\splunk stop command.
2. Download the new MSI file from the Splunk download page.
118
3. Use the instructions in "Install on Windows via the command line".
If Splunk is running as a user other than the Local System user, you must
explicitly specify this user in your command-line instruction.

You can use the LAUNCHSPLUNK flag to specify whether Splunk should start
up automatically or not when you're finished, but you cannot change any
other settings.

DO NOT change the ports (SPLUNKD_PORT and WEB_PORT) at this time.
4. Depending on your specification, Splunk may start automatically when you
complete the installation.
A log of the changes made to your configuration files during the upgrade is
placed in %TEMP%.
Start Splunk
On Windows, Splunk is installed by default into %SYSTEMDRIVE%\Program
Files\Splunk and is started by default.
You can start and stop the following Splunk processes via the Windows Services
control panel:
Server process: splunkd
Web interface process: splunkweb
You can also start, stop, and restart both processes at once by going to
%SYSTEMDRIVE%\Program Files\Splunk\bin and typing
# splunk [start|stop|restart]
Migrate a Splunk Enterprise instance
This topic discusses the procedure for migrating a Splunk instance from one
server, operating system, architecture, or filesystem to another, while maintaining
the indexed data, configurations, and users. This is different than upgrading an
instance, which is merely installing a new version on top of an older one (though,
an upgrade is a form of migration).
119
When to migrate
There are a number of reasons to migrate a Splunk install:
Your Splunk Enterprise installation is on a server that you wish to retire or
reuse for another purpose.

Your Splunk installation is on an operating system that either your
organization or Splunk no longer supports, and you want to move it to an
operating system that is supported.

You want to switch operating systems (for example, from *nix to Windows
or vice versa)

You want to move your Splunk installation to a different file system.
Your Splunk installation is on 32-bit architecture, and you wish to move it
to a 64-bit architecture for better performance.

Your Splunk installation is on a system architecture that you plan to no
longer support, and you want to move it to an architecture that you do
support.

What to consider when migrating
While migrating a Splunk Enterprise instance is simple in many cases, there are
some important considerations to note when doing so. Depending on the type,
version, and architecture of the systems involved in the migration, you might
need to consider more than one of these items at a time.
When migrating a Splunk instance, note:
Endianness
If you indexed data with a version of Splunk earlier than 4.2, the index files that
comprise that data are sensitive to an operating system's endianness, which is
the way the system organizes the individual bytes of a binary file (or other data
structure).
Some operating systems are big-endian (meaning they store the most significant
byte of a binary file first), and others are little-endian (meaning they store the
least significant byte first). These operating systems create binary files of the
same endianness. Index bucket files are binary, and thus, for versions of Splunk
earlier than 4.2, are the same endianness of the operating system that created
them.
For a listing of processor architectures and the endianness they use, refer to the
Endianness article on Wikipedia.
120
When you migrate a pre-4.2 Splunk instance, in order for the destination system
to be able to read the migrated data, you must transfer index files between
systems with the same kind of endianness (for example, a NetBSD system
running on a SPARC processor to a Linux system also running on a SPARC
processor.)
If you can't move index between systems with the same endianness (for
example, when you want to move from a system that's big-endian to a system
that's little-endian), you can move the data by forwarding it from the big-endian
system to the little-endian system. Then, once you have forwarded all the data,
you can retire the big-endian system.
Index files created by Splunk versions 4.2 and later do not have problems with
endianness.
Differences in Windows and Unix path separators
The path separator (the character used to separate individual directory elements
of a path) on *nix and Windows is different. When moving index files between
these operating systems, you must make sure that the path separator you use is
correct for the operating system you want to move the Splunk installation to. You
must also make sure that you update any Splunk configuration files (in particular,
indexes.conf) to use the correct path separator.
Windows permissions
When moving a Splunk Enterprise instance between Windows servers, make
sure that the destination server has the same rights assigned to it that the source
server does. This includes but is not limited to the following:
Ensure that the file system and/or share permissions on the target server
are correct and allow access for the user that runs Splunk.

If Splunk runs as an account other than the Local System user, that the
user is a member of the local Administrators group and has the
appropriate Local Security Policy or Domain Policy rights assigned to it by
a Group Policy object

Architecture changes
If you downgrade the architecture that your Splunk instance runs on (for
example, 64-bit to 32-bit), you might experience degraded search performance
on the new server due to the larger files that the 64-bit operating system and
Splunk instance created.
121
Distributed and clustered Splunk environments
When you want to migrate data on a distributed Splunk instance (that is, an
indexer that is part of a group of servers that a search head has been configured
to search for events, or a search head that's been configured to search indexers
for data), the you should remove the instance from the distributed environment
before attempting to migrate it.
Bucket IDs and potential bucket collision
If you migrate a Splunk instance to another Splunk instance that already has
existing indexes with identical names, you must make sure that the individual
buckets within those indexes have bucket IDs which do not collide. Splunk will
not start if it encounters indexes with buckets that have colliding bucket IDs.
When copying index data, you might need to rename the copied bucket files in
order to prevent this condition.
How to migrate
To migrate your instance of Splunk Enterprise from one system to another, follow
these instructions:
1. Stop Splunk on the server from which you want to migrate.
2. Copy the entire contents of the $SPLUNK_HOME directory from the old server
to the new server.
Important: Be sure to note any considerations above which might apply to you
when copying the files.
3. Install the appropriate version of Splunk for the target platform.
Note:
On *nix systems, you can extract the tar file you downloaded directly over
the copied files on the new system, or use your package manager to
upgrade using the downloaded package.

On Windows systems, the installer updates the Splunk files automatically.
4. Confirm that index configuration files (indexes.conf) contain the correct
location and path specification for any non-default indexes.
5. Start Splunk on the new Splunk instance.
122
Note: On *nix systems, Splunk detects whether you are migrating and prompts
you on whether or not to upgrade at this time.
6. Log into Splunk. You should be able to log in with your existing credentials.
7. Once logged in, confirm that your data is intact by searching it.
How to move index buckets from one server to another
If you're retiring a Splunk Enterprise server and immediately moving the data to
another Splunk server, you can move individual buckets of an index between
servers, as long as:
The source and target systems have the same endianness.
You are not trying to restore a bucket created by a 4.2 or greater version
of Splunk to a version of Splunk less than 4.2.

To move a bucket from one server to another:
1. Roll any hot buckets on the source system from hot to warm.
2. On the target system, create index(es) that are identical to the ones on the
source system.
Note: Review indexes.conf on the old system to get a list of the indexes on that
system.
3. Copy the index buckets from the source system to the target system.
Note: When copying individual bucket files, you must make sure that no bucket
IDs conflict on the new system. Otherwise, Splunk will not start. You might need
to rename individual bucket directories after you move them from the source
system to the target system.
4. Restart Splunk.
Migrate to the new Splunk licenser
This topic discusses how to migrate your license configuration from a pre-4.2
Splunk deployment to the 4.2+ licenser model.
123
Note: This topic does not cover upgrade of an entire Splunk deployment. Review
"How to upgrade Splunk" in the Installation Manual before you upgrade your
Splunk deployment.
Before you proceed, you might want to review these topics:
Read "How Splunk licensing works" in the Admin manual for an
introduction to Splunk licensing.

Read "Groups, stacks, pools, and other terminology" in the Admin manual
for more information about Splunk license terms.

Old licenses
Migrating from an older version most likely puts you in one of these two
categories:
If you are currently running Splunk 4.0 or later, your license will work in 4.2
and later.

If you're migrating from a version older than 4.0, you must contact your
Splunk Sales representative and arrange for a new license. Splunk also
recommends you review the migration documentation before proceeding
with the migration. Depending on how old your version of Splunk is, you
might want to migrate in multiple steps (for example, first to 4.0, then 4.1,
4.2, and finally 5.0+) to maintain your configurations.

Migrating search heads
If your search heads were previously using old forwarder licenses, they will be
automatically converted to be in the Download-trial group. Before you proceed,
Splunk recommends adding your search heads to an established Enterprise
license pool. Even if they have no indexing volume, this will enable Enterprise
features, especially alerting and authentication.
Migrate a standalone instance
If you've got a single 4.1.x Splunk indexer and it has a single license installed on
it, you can just proceed as normal with your upgrade. Follow the instructions in
the Installation Manual for your platform, and be sure to read the "READ THIS
FIRST" documentation first.
Your existing license will work with the new licenser, and will show up as a valid
stack, with the indexer as a member of the default pool.
124
Migrate a distributed indexing deployment
If you've got multiple 4.1.x indexers, each with their own licenses, follow these
high-level steps in this order to migrate the deployment:
1. Designate one of your Splunk instances as the license master. If you've got a
search head, this is likely a good choice.
2. Install or upgrade the Splunk instance you have chosen to be the license
master, following the standard instructions in the Installation Manual.
3. Configure the license master to accept connections from the indexers as
desired.
4. Upgrade each indexer one at a time, following these steps:
Upgrade an indexer to 5.0 following the instructions in the Installation
Manual. It will be operating as a stand-alone license master until you
perform the following steps.

Make a copy of the indexer's Enterprise license file (pre-4.2 license files
are located in $SPLUNK_HOME/etc/splunk.license on each indexer) and
install it onto the license master, adding it to the stack and pool to which
you want to add the indexer.

Configure the indexer as a license slave and point it at the license
master.

On the license master, confirm that the license slave is connecting as
expected by navigating to Manager > Licensing and looking at the list of
indexers associated with the appropriate pool.

Once you've confirmed the license slave is connecting as expected,
proceed to upgrade the next indexer, following the same steps.

Migrate forwarders
If you have deployed light forwarders, review the information in this chapter
about the universal forwarder in the Forwarding Data Manual. You can upgrade
your existing light forwarders to the universal forwarders, no licensing
configuration is required--the universal forwarder includes its own license.
If you have deployed a heavy forwarder (a full instance of Splunk that performs
indexing before forwarding to another Splunk instance), you can treat it like an
indexer--add it to a license pool along with the other indexers.
125
Uninstall Splunk Enterprise
Uninstall Splunk Enterprise
This topic discusses how to remove Splunk Enterprise from your system.
Before you uninstall, stop Splunk. Navigate to $SPLUNK_HOME/bin and type
./splunk stop (or just splunk stop on Windows).
Uninstall Splunk Enterprise with your package management
utilities
Use your local package management commands to uninstall Splunk. In most
cases, files that were not originally installed by the package will be retained.
These files include your configuration and index files which are under your
installation directory.
Note: $SPLUNK_HOME refers to the Splunk installation directory. On Windows, this
is C:\Program Files\Splunk by default. For most Unix platforms, the default
installation directory is /opt/splunk; for Mac OS, it is /Applications/splunk.
RedHat Linux
To uninstall Splunk on RedHat:
rpm -e splunk_product_name
Debian Linux
To uninstall Splunk on Debian:
dpkg -r splunk
To purge (delete everything, including configuration files) on Debian:
dpkg -P splunk
126
FreeBSD
To uninstall Splunk from the default location on FreeBSD:
pkg_delete splunk
To uninstall Splunk from a different location on FreeBSD:
pkg_delete -p /usr/splunk splunk
Solaris
To uninstall Splunk on Solaris:
pkgrm splunk
HP-UX
To uninstall Splunk on HP-UX, you must stop Splunk, disable boot-start (if you
configured it), and then delete the Splunk installation.
Note: The $SPLUNK_HOME variable refers to the directory where you installed
Splunk.
1. Stop Splunk:
$SPLUNK_HOME/bin/splunk stop
2. If you enabled boot-start, run the following command as root:
$SPLUNK_HOME/bin/splunk disable boot-start
3. Delete the Splunk installation directories:
rm -rf $SPLUNK_HOME
Other things you may want to delete:
If you created any indexes and did not use the Splunk default path, you
must delete those directories as well.

127
If you created a user or group for running Splunk, you should also delete
them.

Windows
To uninstall Splunk on Windows:
Use the Add or Remove Programs option in the Control Panel. In Windows 7
and Windows Server 2008, that option is available under Programs and
Features.
You can also uninstall Splunk from the command line by using the msiexec
executable against the Splunk installer package:
C:\> msiexec /x splunk-<version>-x64.msi
Note: Under some circumstances, the Microsoft installer might present a reboot
prompt during the uninstall process. You can safely ignore this request without
rebooting.
Uninstall Splunk manually
If you can't use package management commands, use these instructions to
uninstall Splunk.
Note: These instructions will not remove any init scripts that have been
created.
1. Stop Splunk.
$SPLUNK_HOME/bin/splunk stop
2. Find and kill any lingering processes that contain "splunk" in its name.
For Linux and Solaris:
kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
For FreeBSD and Mac OS
128
kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
3. Remove the Splunk installation directory, $SPLUNK_HOME. For example:
rm -rf /opt/splunk
Note: For Mac OS, you can also remove the installation directory by dragging the
folder into the trash.
3. Remove any Splunk datastore or indexes outside the top-level directory, if they
exist.
rm -rf /opt/splunkdata
4. Delete the splunk user and group, if they exist.
For Linux, Solaris, and FreeBSD:
userdel splunk
groupdel splunk
For Mac OS: You can use the System Preferences > Accounts panel to
manage users and groups.
For Windows: Open a command prompt and run the command msiexec /x
against the msi package that you installed.
129
Reference
PGP Public Key
Following is the Pretty Good Privacy (PGP) public key for Splunk.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)
mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w
nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF
2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7
pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn
OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq
Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/
J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR
5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP
qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh
Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID
FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha
pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm
6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU
HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT
iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg
jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7
SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+
EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd
qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG
3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96
4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK
iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77
kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9
ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng
p4s=
=Mz6T
-----END PGP PUBLIC KEY BLOCK-----
Installing the key
Copy and paste the key into a file. Install the key using:
rpm --import <filename>
130