400 bad request 400 bad request nginx/1.2.9

Splunk Enterprise 6.0

Installation Manual

Generated: 11/05/2013 12:28 pm

Copyright (c) 2013 Splunk Inc. All Rights Reserved

Table of ContentsWelcome to the Splunk Enterprise Installation Manual...................................1

What's in this manual................................................................................1

Plan your Splunk Enterprise installation...........................................................2 Installation overview..................................................................................2System requirements.................................................................................3 Components of a Splunk deployment.....................................................10 Estimate your storage requirements.......................................................11 Splunk architecture and processes.........................................................13 Information on Windows third-party binaries distributed with Splunk......16 Step-by-step installation instructions.......................................................19 Secure your Splunk installation...............................................................19

Estimate hardware requirements.....................................................................20Hardware capacity planning for your Splunk deployment........................20 How incoming data affects Splunk performance.....................................22 How indexed data impacts Splunk performance.....................................23 How the number of concurrent users impacts Splunk performance.......23 How saved searches affect Splunk performance....................................24 How search types impact Splunk performance.......................................24 How Splunk apps affect Splunk performance.........................................26 How Splunk calculates disk storage........................................................26 Reference hardware................................................................................27 Performance questionnaire.....................................................................29 Summary of performance recommendations..........................................32

Install Splunk Enterprise on Windows.............................................................34Choose the Windows user Splunk should run as.....................................34 Prepare your Windows network for a Splunk installation as a network

or domain user.........................................................................................38 Install on Windows..................................................................................46 Install on Windows via the command line...............................................50Correct the user selected during Windows installation............................58

Install Splunk Enterprise on Unix, Linux or Mac OS X...................................60 Install on Linux........................................................................................60 Install on Solaris......................................................................................63 Install on Mac OS....................................................................................67 Install on FreeBSD..................................................................................71

i

Table of ContentsInstall Splunk Enterprise on Unix, Linux or Mac OS X

Install on AIX...........................................................................................75 Install on HP-UX......................................................................................77 Run Splunk as a different or non-root user.............................................79

Start using Splunk Enterprise..........................................................................82 Start Splunk for the first time...................................................................82What happens next?................................................................................84 Learn about Splunk's accessibility..........................................................85

Install a Splunk Enterprise license...................................................................87 About Splunk licenses.............................................................................87 Install a license........................................................................................87

Upgrade or migrate Splunk Enterprise............................................................90 How to upgrade Splunk...........................................................................90 About Upgrading to 6.0 - READ THIS FIRST.........................................92 How Splunk Web procedures have changed from version 5 to version 6.................................................................................................101 Changes for Splunk App developers.....................................................102 Upgrade to 6.0 on UNIX........................................................................107 Upgrade to 6.0 on Windows..................................................................110 Migrate a Splunk instance.....................................................................112 Migrate to the new Splunk licenser.......................................................117

Uninstall Splunk Enterprise............................................................................120 Uninstall Splunk....................................................................................120

Reference..........................................................................................................124 PGP Public Key.....................................................................................124

ii

Welcome to the Splunk EnterpriseInstallation Manual

What's in this manual

Use the Installation Manual to learn how to install Splunk Enterprise.

In this manual, you can find:

System requirements• Licensing information• Procedures for installing• Procedures for upgrading from a previous version•

...and more.

Note: If you want to install the Splunk universal forwarder, read "Universalforwarder deployment overview" in the Forwarding Data Manual. Unlike Splunkheavy and light forwarders, which are full Splunk Enterprise instances withsome features changed or disabled, the universal forwarder is an entirelyseparate executable, with its own set of installation procedures. For anintroduction to forwarders, see "About forwarding and receiving".

Find what you need

You can use the table of contents to the left of this panel, or simply search forwhat you want in the search box in the upper right.

If you're interested in more specific scenarios and best practices, you can visitthe Splunk Community Wiki to see how other users Splunk IT.

Make a PDF

If you'd like a PDF of any version of this manual, click the red Download as PDFlink below the table of contents on the left side of this page. A PDF version of themanual is generated on the fly for you, and you can save it or print it out to readlater.

1

Plan your Splunk Enterprise installation

Installation overview

This topic discusses the basic steps required to install Splunk on a computer. Westrongly suggest that you read this topic and the contents of this chapter firstbefore performing an installation.

Installation basics

The following list provides general guidance on how to install Splunk:

1. Review the system requirements for installation. Specific additionalrequirements might apply based on the operating system you install Splunk on,and how you plan to use Splunk.

2. Read "Components of a Splunk deployment" to learn about Splunk'secosystem, and "Splunk architecture and processes" to learn what the Splunkinstaller puts on your computer.

3. Download the correct installation package for your system from the Splunkdownload page.

4. Perform the installation using the step-by-step installation instructions for youroperating system.

5. If this is the first time you have installed Splunk, you might want to considerreading the Splunk Search Tutorial to learn how to index data into Splunk andsearch that data using Splunk's search language.

6. After you've installed Splunk, you can calculate how much space you need toindex your data. Read "Estimate your storage requirements" for additionalinformation.

7. If you plan to run Splunk in a production environment, review "Hardwarecapacity planning for your Splunk deployment" in this manual for insight into theamount of hardware a Splunk deployment requires.

2

Upgrading or migrating a Splunk instance?

If you're upgrading from an earlier version of Splunk, read "How to upgradeSplunk" in this manual for information and specific instructions.

If you want to know how to migrate a Splunk instance from one system toanother, read "Migrate a Splunk instance" in this manual.

System requirements

Before you download and install the Splunk software, read this topic to learnwhich computing environments Splunk supports.

Refer to the download page for the latest version to download. Check the releasenotes for details on known and resolved issues.

For a discussion of hardware planning for deployment, review "Hardwarecapacity planning for your Splunk deployment" in this manual.

If you have ideas or requests for new features to add to future releases, get intouch with Splunk Support. You can also review our product road map.

Supported OSes

Important: Read the following tables carefully when researching the systemrequirements. Splunk availability has changed significantly from previousversions.

The tables below list the computing platforms that Splunk is available for.

To find out whether or not Splunk is available for your platform:

1. Find the operating system you wish to install Splunk on in the left column.

2. Then, read across to find the appropriate computing architecture in the centercolumn that best matches your environment.

The tables show availability for two different types of Splunk, as shown in the twocolumns on the right: Splunk Enterprise/Trial, and Splunk UniversalForwarder. An 'x' in the box that intersects your computing platform and desiredSplunk type means that Splunk is available for that platform. An empty box

3

means that Splunk is not available for that platform.

Some boxes have characters in addition to - or instead of - an 'x'. Refer to thebottom of the tables to find out what the additional characters represent.

Unix operating systems

Operatingsystem Architecture Enterprise / Trial Universal Forwarder

Solaris 8* and 9x86 (64-bit) x

SPARC x

x86 (32-bit) x*

Solaris 10 and11*

x86 (64-bit) x* x*

SPARC x x

x86 (32-bit) x* x*

Linux, 2.4+ withNative POSIXThread Library

x86 (64-bit)

x86 (32-bit) x

Linux, 2.6+ x86 (64-bit) x x

x86 (32-bit) x x

Linux, 3.0+ x86 (64-bit) x x

x86 (32-bit) x x

PowerLinux,2.6+ PowerPC x

FreeBSD 7**and 8

x86 (64-bit) x x

x86 (32-bit) x x

Mac OS X 10.7and 10.8 Intel x x

AIX 5.3 PowerPC x

AIX 6.1 and 7.1 PowerPC x x

HP/UX? 11i v2and 11i v3

Itanium x x

PA-RISC x* Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does notsupport 32-bit Splunk installs.** Be sure to read important notes on FreeBSD 7 below.

4

? You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

The table below lists the Windows computing platforms that Splunk is availablefor.

Operatingsystem Architecture Enterprise / Trial Universal Forwarder

Windows Server2003 and Server2003 R2

x86 (64-bit) x x

x86 (32-bit) x*** x***

Windows Server2008 and Server2008 R2

x86 (64-bit) x x

x86 (32-bit) x*** x***

Windows Server2012 x86 (64-bit) x x

Windows XP x86 (64-bit) x

x86 (32-bit) x***

Windows Vista x86 (64-bit) ¶ x

x86 (32-bit) ¶ x***

Windows 7 x86 (64-bit) x x

x86 (32-bit) x*** x***

Windows 8 x86 (64-bit) x x

x86 (32-bit) x x*** This version of Splunk is supported but is not recommended on this platformand architecture.¶ Splunk Enterprise is not available on this platform. However, Splunk Trial andSplunk Universal Forwarder are available.

Operating system notes and additional information

Windows

Certain parts of Splunk on Windows require elevated user permissions tofunction properly. For additional information about what is required, read thefollowing topics:

5

"Splunk architecture and processes" in this manual.• "Choose the user Splunk should run as" in this manual.• "Considerations for deciding how to monitor remote Windows data" in theGetting Data In Manual.

•

FreeBSD 7.x

To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. SplunkSupport will supply "best effort" support for users running on FreeBSD 7.x. Formore information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.

Deprecated operating systems and features

As we continue to version the Splunk product, we gradually deprecate support ofolder operating systems. Be sure to read "Deprecated features" in the ReleaseNotes for information on which platforms and features have been deprecated orremoved entirely.

Creating and editing configuration files on non-UTF-8 OSes

Splunk expects configuration files to be in ASCII or Universal Character SetTransformation Format-8-bit (UTF-8) format. If you edit or create a configurationfile on an OS that does not use UTF-8 character set encoding, then you mustensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurationsexcept for the following:

AIX• HP/UX on PA-RISC architecture• Solaris 9•

Refer to "Configure Splunk for IPv6" in the Admin Manual for details on SplunkIPv6 support.

Supported browsers

Splunk supports the following browsers:

Firefox 10.x and latest• Internet Explorer 7, 8, 9, and 10•

6

Safari (latest)• Chrome (latest)•

You should also make sure you have the latest version of Adobe Flash installedto render any charts that use options not supported by the JSChart module. Formore information about this subject, see "About JSChart" in the Splunk DataVisualizations Manual.

Recommended hardware

Splunk is a high-performance application. If you are performing a comprehensiveevaluation of Splunk for production deployment, we recommend that you usehardware typical of your production environment. This hardware should meet orexceed the recommended hardware capacity specifications below.

For a discussion of hardware planning for production deployment, see"Hardware capacity planning for your Splunk deployment" in this manual.

Splunk and virtual machines

If you run Splunk in a virtual machine (VM) on any platform, performance doesdegrade. This is because virtualization works by abstracting the hardware on asystem into resource pools from which VMs defined on the system draw asneeded. Splunk needs sustained access to a number of resources, particularlydisk I/O, for indexing operations. Running Splunk in a VM or alongside other VMscan cause reduced indexing performance.

Recommended and minimum hardware capacity

Platform Recommended hardwarecapacity/configuration

Minimumsupportedhardwarecapacity

Non-Windowsplatforms

2x six-core, 2+ GHz CPU, 12 GB RAM,Redundant Array of Independent Disks(RAID) 0 or 1+0, with a 64 bit OS installed.

1x1.4 GHz CPU,1 GB RAM

Windowsplatforms

2x six-core, 2+ GHz CPU, 12 GB RAM,RAID 0 or 1+0, with a 64 bit OS installed.

Pentium 4 orequivalent at 2GHz, 2 GB RAM

Note: RAID 0 configurations do not provide fault-tolerance. Be certain that aRAID 0 configuration meets your data reliability needs before deploying a Splunkindexer on a system configured with RAID 0.

7

All configurations other than universal and light forwarder instancesrequire at least the recommended hardware configuration.

•

The minimum supported hardware guidelines are designed for personaluse of Splunk. The requirements for Splunk in a production environmentare significantly higher.

•

Important: For all installations, including forwarders, you must have a minimumof 5 GB of hard disk space available in addition to the space required for anyindexes. Refer to "Estimate your storage requirements" in this manual foradditional information.

Hardware requirements for universal and light forwarders

Recommended Dual-core 1.5 GHz+ processor, 1 GB+ RAM

Minimum 1.0 Ghz processor, 512 MB RAM

Supported file systems

Platform File systems

Linux ext2/3/4, reiser3, XFS, NFS 3/4

Solaris UFS, ZFS, VXFS, NFS 3/4

FreeBSD FFS, UFS, NFS 3/4, ZFS

Mac OS X HFS, NFS 3/4

AIX JFS, JFS2, NFS 3/4

HP-UX VXFS, NFS 3/4

Windows NTFS, FAT32Note: If you run Splunk on a filesystem that is not listed above, Splunk might runa startup utility named locktest to test the viability of a filesystem for runningSplunk. Locktest is a program that tests the start up process. If locktest runsand fails, then the filesystem is not suitable for running Splunk.

Considerations regarding file descriptors (FDs) on *nix systems

Splunk allocates file descriptors on *nix systems for actively monitored files,forwarder connections, deployment clients, users running searches, and so on.

Usually, the default file descriptor limit (controlled by the ulimit command on a*nix-based OS) is 1024. Your Splunk administrator should determine the correctlevel, but it should be at least 8192. Even if Splunk allocates just a single filedescriptor for each of the activities above, it?s easy to see how a few hundred

8

files being monitored, a few hundred forwarders sending data, a handful of veryactive users on top of reading/writing to/from the datastore can easily exhaust thedefault setting.

The more tasks your Splunk instance is doing, the more FDs it will need, so youshould increase the ulimit value if you start to see your instance run intoproblems with low FD limits.

For more information, read about ulimit in the Troubleshooting Manual.

This consideration is not applicable to Windows-based systems.

Considerations regarding Network File System (NFS)

When choosing to use Network File System (NFS) as a storage medium forSplunk indexing, it is important to consider all of the ramifications of file levelstorage.

Splunk strongly recommends that you use block level storage rather than filelevel storage for indexing your data.

In environments with reliable, very high-bandwidth low-latency links, or withvendors that provide high-availability, clustered network storage, NFS can be anappropriate choice. However, customers who plan to choose this strategy shouldwork closely with their hardware vendor to confirm that the storage platform theychoose performs to the desired specification in terms of both performance anddata integrity.

If you choose to use NFS, note the following caveats:

Splunk does not support "soft" NFS mounts (mounts which cause aprogram attempting a file operation on the mount to report an error andcontinue in case of a failure).

•

Only "hard" NFS mounts - mounts where the client continues to attempt tocontact the server in case of a failure) are reliable with Splunk.

•

Do not disable attribute caching. If you have other applications whichrequire disabling or reducing attribute caching, then you must provideSplunk a separate mount with attribute caching enabled.

•

Do not use NFS mounts over a wide area network (WAN). Doing socauses performance issues and can potentially lead to data loss.

•

9

Considerations regarding solid state drives

Solid state drives (SSDs) deliver significant performance gains over conventionalhard drives for Splunk in "rare" searches - searches that request small sets ofresults over large swaths of data - when used in combination with bloom filters.They also deliver performance gains with concurrent searches overall.

Supported server hardware architectures

32 and 64-bit architectures are supported for some platforms. See the downloadpage for details.

Components of a Splunk deployment

Splunk is simple to deploy by design. By using a single software component andeasy to understand configurations, Splunk can coexist with existing infrastructureor be deployed as a universal platform for accessing IT data.

The simplest deployment is the one you get by default when you install Splunk:indexing and searching on the same server. Data comes in from the sourcesyou've configured, and you log into Splunk Web or the CLI on this same server tosearch, monitor, alert, and report on your IT data.

Depending on your needs, you can also deploy components of Splunk ondifferent servers to address your load and availability requirements. This sectionintroduces the types of components. For a more thorough introduction, see theDistributed Deployment manual, particularly the topic, "Scale your deployment:Splunk components".

Indexer

Splunk indexers, or index servers, provide indexing capability for local andremote data and host the primary Splunk datastore, as well as Splunk Web.Refer to "How indexing works" in the Managing Indexers and Clusters manual formore information.

Search peer

A search peer is an indexer that services requests from search heads in adistributed search deployment. Search peers are also sometimes referred to asindexer nodes.

10

Search head

A search head is a Splunk instance configured to distribute searches toindexers, or search peers. Search heads can be either dedicated or not,depending on whether they also perform indexing. Dedicated search heads don'thave any indexes of their own (other than the usual internal indexes). Instead,they consolidate results that originate from remote search peers.

See "What is distributed search" in the Distributed Search Manual to configure asearch head to search across a pool of indexers.

Forwarder

Forwarders are Splunk instances that forward data to remote indexers forindexing and storage. In most cases, they do not index data themselves. Refer tothe "About forwarding and receiving" topic in the Forwarding Data manual.

Deployment server

Both indexers and forwarders can also act as deployment servers. Adeployment server distributes configuration information to running instances ofSplunk via a push mechanism which is enabled through configuration. Refer to"About deployment server" in the Updating Splunk Instances manual foradditional information about the deployment server.

Functions at a glance

Functions Indexer Search head Forwarder Deploymentserver

Indexing x

Web x

Direct search x

Forward to indexer x

Deployconfigurations x x x

Estimate your storage requirements

11

This topic describes how to estimate the size of your Splunk index, so that youcan plan your storage capacity requirements.

When Splunk indexes your data, it creates two main types of files: the "rawdata"file that contains the original data in compressed form and the index files thatpoint to this data. (It also creates a few metadata files, which don't consumemuch space.) With a little experimentation, you can estimate how much indexdisk space you will need for a given amount of incoming data.

Typically, the compressed rawdata file is approximately 10% the size of theincoming, pre-indexed raw data. The associated index files range in size fromapproximately 10% to 110% of the rawdata file. This value is affected strongly bythe number of unique terms in the data. Depending on the data's characteristics,you might want to tune your segmentation settings, as described in "Aboutsegmentation" in the Getting Data In Manual.

The best way to get an idea of your space needs is to experiment by indexing arepresentative sample of your data, and then checking the sizes of the resultingdirectories in defaultdb.

On *nix systems, follow these steps

Once you've indexed your data sample:

1. Go to $SPLUNK_HOME/var/lib/splunk/defaultdb/db.

2. Run du -ch hot_v* and look at the last total line to see the size of the index.

On Windows systems, follow these steps

1. Download the du utility from Microsoft TechNet.

2. Extract du.exe from the downloaded ZIP file and place it into your%SYSTEMROOT% folder.

Note: You can also place it anywhere in your %PATH%.

3. Open a command prompt.

4. Once there, go to %SPLUNK_HOME%\var\lib\splunk\defaultdb\db.

5. Run del %TEMP%\du.txt & for /d %i in (hot_v*) do du -q -u %i\rawdata| findstr /b "Size:" >> %TEMP%\du.txt.

12

6. Open the %TEMP%\du.txt file. You will see Size: n, which is the size of eachrawdata directory found.

7. Add these numbers together to find out how large the compressed persistedraw data is.

8. Next, run for /d %i in (hot_v*) do dir /s %i, the summary of which is thesize of the index.

9. Add this number to the total persistent raw data number.

This is the total size of the index and associated data for the sample you haveindexed. You can now use this to extrapolate the size requirements of yourSplunk index and rawdata directories over time.

Answers

Have questions? Visit Splunk Answers to see what questions and answers otherSplunk users had about data sizing.

Splunk architecture and processes

This topic discusses Splunk's internal architecture and processes at a high level.If you're looking for information about third-party components used in Splunk,refer to the credits section in the Release notes.

Processes

A Splunk server runs two processes (installed as services on Windows systems)on your host, splunkd and splunkweb:

splunkd is a distributed C/C++ server that accesses, processes andindexes streaming IT data. It also handles search requests. splunkdprocesses and indexes your data by streaming it through a series ofpipelines, each made up of a series of processors.

Pipelines are single threads inside the splunkd process, eachconfigured with a single snippet of XML.

♦

Processors are individual, reusable C or C++ functions that act onthe stream of IT data passing through a pipeline. Pipelines canpass data to one another via queues. splunkd supports acommand line interface for searching and viewing results.

♦

•

13

splunkweb is a Python-based application server based on CherryPy thatprovides the Splunk Web user interface. It allows users to search andnavigate data stored by Splunk servers and to manage your Splunkdeployment through a Web interface.

•

splunkweb and splunkd can both communicate with your Web browser viaREpresentational State Transfer (REST):

splunkd also runs a Web server on port 8089 with SSL/HTTPS turned onby default.

•

splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.•

On Windows systems, splunkweb.exe is a third-party, open-source executablethat Splunk renames from pythonservice.exe. Since it is a renamed file, it doesnot contain the same file version information as other Splunk for Windowsbinaries.

Read information on other Windows third-party binaries distributed with Splunk.

Splunk and Windows in Safe Mode

Neither the splunkd, the splunkweb, nor the SplunkForwarder services starts ifWindows is in Safe Mode. Additionally, if you attempt to start Splunk from theStart Menu while in Safe Mode, Splunk does not alert you to the fact that itsservices are not running.

Additional processes for Splunk on Windows

On Windows instances of Splunk, in addition to the two services describedabove, there are additional processes that Splunk uses when you create specificdata inputs on a Splunk instance. These scripted inputs run when configured bycertain types of Windows-specific data input.

splunk.exe

splunk.exe is the control application for the Windows version of Splunk. Itprovides the command line interface (CLI) for the program, and allows you tostart, stop, and configure Splunk, similar to the *nix splunk program.

Important: splunk.exe requires an elevated context to run because of how itcontrols the splunkd and splunkweb processes. Splunk might not functioncorrectly if this executable is not given the appropriate permissions on yourWindows system. This is not an issue if you install Splunk as the Local System

14

user.

splunk-admon

splunk-admon.exe is spawned by splunkd whenever you configure an ActiveDirectory (AD) monitoring input. splunk-admon's purpose is to attach to thenearest available AD domain controller and gather change events generated byAD. Splunk then stores these events in the desired index.

splunk-perfmon

splunk-perfmon.exe runs when you configure Splunk to monitor performancedata on the local machine. This service attaches to the Performance Data Helperlibraries, which query the performance libraries on the system and extractperformance metrics both instantaneously and over time.

splunk-netmon

splunk-netmon (new for version 6.0) runs when you configure Splunk to monitorWindows network information on the local machine.

splunk-regmon

splunk-regmon.exe runs when you configure a Registry monitoring input inSplunk. This scripted input initially writes a baseline for the Registry as itcurrently exists (if desired), then monitors changes to the Registry over time.Those changes come back into Splunk as searchable events.

splunk-winevtlog

You can use this utility to test defined event log collections, and it outputs eventsas they are collected for investigation. Splunk has a Windows event log inputprocessor built into the engine.

splunk-winhostmon

splunk-winhostmon (new for version 6.0) runs when you configure a Windowshost monitoring input in Splunk. This scripted input gets detailed informationabout Windows hosts.

15

splunk-winprintmon

splunk-winprintmon (new for version 6.0) runs when you configure a Windowsprint monitoring input in Splunk. This scripted input gets detailed informationabout Windows printers and print jobs on the local system.

splunk-wmi

When you configure a performance monitoring, event log or other input against aremote computer, this program starts up. Depending on how you configure theinput, either it attempts to attach to and read Windows event logs as they comeover the wire, or it executes a Windows Query Language (WQL) query againstthe Windows Management Instrumentation (WMI) provider on the specifiedremote machine(s). Splunk then stores the events.

Architecture diagram

Information on Windows third-party binariesdistributed with Splunk

This topic provides additional information on the third-party Windows binariesthat the Splunk Enterprise and the Splunk universal forwarder packages include.

For more information about Splunk's universal forwarder, read "Deploy theuniversal forwarder" in the Forwarding Data Manual.

Third-party Windows binaries included with Splunk

The following third-party Windows binaries ship with the Splunk product. Exceptwhere indicated, only the Splunk Enterprise product includes these binaries.

16

These binaries provide functionality to Splunk as shown in their individualdescriptions. None of them contains file version information or authenticodesignatures (certificates which prove the binary file's authenticity). Additionally,Splunk does not provide support for debug symbols related to third-partymodules.

Note: Only the third party binaries, apps and scripts that ship with Splunk havebeen tested for Certified for Windows Server 2008 R2 (CFW2008R2) WindowsLogo compliance. Any other binaries, apps, or scripts - such as those youdownload from the Internet in the course of extending Splunk's capabilities - havenot been tested for this compliance.

Archive.dll

Libarchive.dll is a multi-format archive and compression library.

Both Splunk Enterprise and the Splunk universal forwarder include this binary.

Bzip2.exe

Bzip2 is a freely available, patent-free (see below), high-quality data compressor.It typically compresses files to within 10% to 15% of the best availabletechniques (the PPM family of statistical compressors), whilst being around twiceas fast at compression and six times faster at decompression.

Jsmin.exe

Jsmin.exe is an executable that removes whitespace and comments fromJavaScript files, reducing their size.

Libexslt.dll

Libexslt.dll is the Extensions to Extensible Stylesheet Language Transformation(EXSLT) dynamic link C library developed for libxslt (a part of the GNOMEproject).


Libxml2.dll

Libxml2.dll is the Extensible Markup Language (XML) C parser and toolkitdeveloped for the GNOME project (but usable outside of the GNOME platform),

17


Libxslt.dll

Libxslt.dll is the XML Stylesheet Language for Transformations (XSLT) dynamiclink C library developed for the GNOME project. XSLT itself is an XML languageto define transformation for XML. Libxslt is based on libxml2 the XML C librarydeveloped for the GNOME project. It also implements most of the EXSLT set ofprocessor-portable extensions functions and some of Saxon's evaluate andexpressions extensions.


Minigzip.exe

Minigzip.exe is the minimal implementation of the ?gzip? compression tool.

Openssl.exe

The OpenSSL Project is a collaborative effort to develop a robust,commercial-grade, full-featured, and open source toolkit implementing theSecure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)protocols as well as a full-strength general purpose cryptography library.


Python.exe

Python.exe is the Python programming language binary for Windows.

Pythoncom.dll

Pythoncom.dll is a module that encapsulates the Object Linking and Embedding(OLE) automation API for Python.

Pywintypes27.dll

Pywintypes27.dll is a module that encapsulates Windows types for Pythonversion 2.7.

18

Step-by-step installation instructions

Now that you've learned what Splunk is and what is needed to install it, you canget detailed installation procedures for your operating system:

Windows• Windows (from the command line)• Linux• Solaris• Mac OS X• FreeBSD• AIX• HP-UX•

Secure your Splunk installation

As soon as you set up and begin using your new Splunk installation or upgrade,you should perform a few additional steps to ensure that Splunk and your dataare secure. Taking the proper steps to secure Splunk reduces its attack surfaceand mitigates the risk and impact of most vulnerabilities.

Some key actions you should take after installation:

Modify your default passwords. You can easily set your passwords acrossall servers to lock down your system.

•

Configure secure authentication. We provide guidelines and furtherinstructions for adding SSL encryption and authentication to yourconfiguration.

•

Audit and monitor your system regularly. We offer plenty of ways tomonitor and audit your systems.

•

Lock down your network access and configuration. Take a few steps tomake your Splunk physically and virtually more secure.

•

Use Access Control Lists (ACLs) to restrict the IPs that access parts ofyour networks.

•

The Securing Splunk manual provides information about the many ways you canor should secure Splunk.

For a checklist of things you should do to harden your Splunk configuration,review the hardening standards in the Securing Splunk manual.

19

Estimate hardware requirements

Hardware capacity planning for your Splunkdeployment

Splunk is a flexible product that meets almost any scale and redundancyrequirement in the course of its operation. Taking advantage of that flexibilityrequires careful planning. This chapter discusses high level hardware guidancefor Splunk deployments and describes how Splunk uses hardware resources invarious situations.

Before deciding on your hardware outlay for Splunk:

1. Be sure to review "Components of a Splunk Deployment" in this manual for adescription of all of the elements of a Splunk installation.

2. Next, learn about the type of hardware that comprises a "single indexer" byreading "Reference hardware."

3. Finally, read the remaining topics in this chapter to learn how Splunkoperations impact performance and how to maximize that performance.

Dimensions of a Splunk deployment

In some cases, a single indexer can handle the load of both searching andindexing.

There are scenarios where you must consider adding infrastructure to yourSplunk deployment for maximum efficiency and performance. Below is a list ofthings that significantly impact Splunk's performance:

1. The amount of incoming data. The more data you send to Splunk, the moretime Splunk needs to index it into results that you can search, report andgenerate alerts on.

2. The amount of indexed data. As the amount of data stored in Splunk's indexgoes up, the server that indexes that data requires additional bandwidth both tostore the data and provide results for searches.

20

3. The number of concurrent users. If more than one person at a time uses aninstance of Splunk, that instance requires more resources for those users to dosearches and create reports and dashboards.

4. The number of saved searches. If you plan on running a lot of savedsearches, Splunk needs capacity to perform those searches promptly andefficiently. The more saved searches you run in a given period of time, the moreresources are required.

5. The types of search you employ. Almost as important as the number ofsaved searches is the types of search that you run against a Splunk system.There are several different types of search, each of which affects how theindexer responds to search requests.

6. Whether or not you run Splunk apps. Splunk apps and solutions can haveunique performance, deployment, and configuration considerations. If you planon running apps, make sure you consider the resource requirements of theapp(s) you are using. Refer to the installation and deployment section of yourapp or solution's documentation for additional information. Additionally, read"Hardware capacity planning for a distributed Splunk deployment" to learn how toproperly size your environment for an app's increased resource requirements.

How do these dimensions impact overall performance?

Follow the links above to determine how each of the dimensions impactsperformance on a reference indexer.

While these factors impact the basic sizing requirements of your Splunkdeployment on the whole, it's important to understand that addressing each ofthem individually does not guarantee peak efficiency for your Splunk deployment.You must discover how these factors correlate with one another in your specificapplication in order to realize maximum performance.

For example, if your Splunk deployment calls for a low amount of indexing buthas a high number of concurrent users, it has significantly different resourceneeds than a setup with a low number of concurrent users and a high amount ofdaily indexing volume. Additionally, as both user count and amount of indexeddata rise, you must distribute the environment across multiple servers to maintaina similar performance level. Search types complicate matters further, as someare bound by available CPU resources, and others are bound by the speed of thedisk subsystem.

21

When should I scale my Splunk deployment?

To best answer this question you must understand how the above Splunkdeployment dimensions apply to your specific use case. Ask yourself thesequestions, then refer to the performance questionnaire later in this chapter tohelp ascertain when you should add more hardware resources:

How much data do you expect to index daily?• How much data do you need to retain?• How many users do you expect to search through the data at any onetime?

•

Do you plan to use certain specific searches more than once?• Do you want or need to use a Splunk app to present or manipulate yourdata?

•

The key to a well-performing installation is to develop a plan early in thedeployment cycle to account for both your initial outlay of hardware resources, aswell as the addition of resources when the deployment scales up.

You can read about capacity planning for a distributed deployment at "Hardwarecapacity planning for a distributed Splunk deployment" in the DistributedDeployment Manual.

How incoming data affects Splunk performance

This topic discusses how incoming data impacts Splunk indexing performance.

A reference Splunk indexer can index a significant amount of data in a shortperiod of time - up to 5.8 MB of data per second - or 500 GB per day. This is ifthe server is doing nothing else but consuming data.

Performance changes depending on the size and amount of incoming data.Larger events slow down indexing performance. As events increase in size, theindexer uses more system memory to process and index them.

If you need more indexing capacity than a single indexer can provide, you mustadd indexers into the deployment to account for the increased demand.

22

How indexed data impacts Splunk performance

This topic discusses how data that has already been consumed by Splunk affectsSplunk performance.

Once Splunk consumes data and places it into indexes, those indexes grow,taking up disk space. As the indexes grow and available disk space decreases,Splunk takes more time to index incoming data because the indexer's disksubsystem takes more time to find space to store the data.

This impacts search as well. On a single indexer, disk throughput splits betweenindexing (which is ongoing) and search requests (which are interrupts based onrequests scheduled by users.) As indexes grow, search slows down because notonly does the disk subsystem need to account for search requests, it also needsto handle increasingly longer requests to store incoming data. Depending on thetype of search, those kinds of requests can be very I/O-intensive.

How the number of concurrent users impactsSplunk performance

This topic discusses how the number of concurrent users impacts Splunk'sperformance on a single indexer.

A reference Splunk indexer needs to dedicate one of its available CPU cores forevery user that logs into the system. This CPU core only handles the actualsession itself. When a user starts searching, each search request takes up anadditional CPU core, for as long as the search is active.

These figures assume that CPUs are idle when they receive a login or searchrequest. This does not account for other system requests, or CPU cores used bySplunk to index data. If they're processing any other system requests, then theload splits across other available CPUs.

As CPU cores get used up, all activities on an indexer slow down as thecomputer splits processing time between indexing, search, and handling on-lineusers. At that point, only additional indexers can increase capacity for all threefunctions of Splunk operation.

23

How saved searches affect Splunk performance

This topic discusses how the number of saved searches - searches that yousave to use again at a later time - affect Splunk performance.

On a reference Splunk indexer, a saved search consumes about 1 CPU core anda specified amount of memory while it executes. It also increases the amount ofdisk I/O temporarily as the disk subsystem looks through the indexes to fetch thedesired data.

Each additional saved search that executes at the same time consumes anadditional CPU core. This consumption is separate from CPU usage from theoperating system and Splunk indexing and storage processes.

If more saved searches execute than can be accepted for processing, they willqueue. Splunk also warns you when the system reaches the maximum numberof saved searches. When searches queue, search results return more slowly.

Adding indexers and search heads provides additional CPU cores to run moreconcurrent searches. Adding RAM to your existing machines helps withconcurrent searches but does not give you additional search capacity.

How search types impact Splunk performance

This topic discusses how the different types of search impact Splunk's overallperformance on a single reference indexer.

There are four basic types of search that you can invoke against data stored in aSplunk index. Each of these search types impacts the Splunk indexer in adifferent way. The search types are:

Dense. A dense search is a search that returns a large percentage (10% ormore) of matching results for a given set of data in a given period of time. Areference server should be able to fetch up to 50,000 matching events persecond for a dense search. Dense searches usually tax a server's CPU first,because of the overhead required to decompress the raw data stored in a Splunkindex.

Sparse. Sparse searches return smaller numbers of results for a given set ofdata in a given period of time (anywhere from .01 to 1%) than dense searchesdo. A reference indexer should be able to fetch up to 5,000 matching events per

24

second when executing a sparse search.

Super-sparse. A super-sparse search is a "needle in the haystack" search thatretrieves only a very small number of results across the same set of data withinthe same time period as the other searches. A super-sparse search is very I/Ointensive because the indexer must look through all of the buckets of an index tofind the desired results. This can take up to two seconds per searched bucket. Ifyou have a large amount of data stored on your indexer, there are a lot ofbuckets, and a super-sparse search can take a very long time to complete.

Rare. Rare searches are like super-sparse searches in that they match just ahandful of results across a number of index buckets. The major difference withrare searches is that bloom filters - data structures that test whether or not anelement is a member of a set - significantly reduce the number of buckets thatneed to be searched by eliminating those buckets which do not contain eventsthat match the search request. This allows a rare search to complete anywherefrom 20 to 100 times faster than a super-sparse search, for the same amount ofdata searched.

Summary

The following table summarizes the different search types. Note that for denseand sparse searches, Splunk measures performance based on number ofmatching events, while with super-sparse and rare searches, performance ismeasured based on total indexed volume.

Search type Description Ref. indexerthroughput

Performanceimpact

Dense

Dense searches return a largepercentage of results for agiven set of data in a givenperiod of time.

Up to 50,000matchingevents persecond

GenerallyCPU-bound

Sparse

Sparse searches return asmaller amount of results for agiven set of data in a givenperiod of time than densesearches do.

Up to 5,000matchingevents persecond

GenerallyCPU-bound

Super-sparse Super-sparse searches return avery small number of resultsfrom each index bucket whichmatch the search. Depending

Up to 2seconds perindex bucket

Primarily I/Obound

25

on how large the set of data is,these types of search can takea long period of time.

Rare

Rare searches are similar tosuper-sparse searches, but areassisted by bloom filters whichhelp eliminate index bucketsthat do not match the searchrequest. Rare searches returnresults anywhere from 20 to100 times faster than asuper-sparse search does.

From 10 to 50index bucketsper second

Primarily I/Obound

How Splunk apps affect Splunk performance

This topic discusses how Splunk apps impact overall Splunk performance on asingle reference indexer.

While many apps can run on a single indexer - Splunk actually runs severalincluded with the product - the more things an app does, the more likely you mustdistribute it across multiple machines.

Many apps require a distributed Splunk deployment by design. Whether it's acase of universal forwarders fetching data and sending it to a single centralinstance, or many indexers and search heads connected together and serving upreports, dashboards, or alerts, Splunk apps often need more than one server torealize both maximum performance and potential in the enterprise.

How Splunk calculates disk storage

This topic discusses how Splunk calculates disk storage.

At a high level, Splunk calculates total disk storage as follows:

( Daily average indexing rate ) x ( retention policy ) x 1/2

If you want to base your calculation on the specific type(s) of data that Splunk willindex, you can use the method described in "Estimate your storagerequirements" in this manual.

26

Splunk stores raw data at up to approximately half its original size due tocompression. On a volume that contains 500 GB of usable disk space, thismeans you can store nearly 6 months' worth of data at an indexing rate of 5GB/day, or 10 days' worth at a rate of 100 GB/day.

If you need additional storage, you can opt for either more local disks (requiredfor frequent searching) or attached or network storage (acceptable for occasionalsearching). Low-latency connections over NFS or SMB/CIFS (Server MessageBlock/Common Internet File System) are acceptable for searches over long timeperiods where instant search returns can be compromised to lower cost per GB.

Important: Shares mounted over a Wide Area Network (WAN) connection or onstandby storage such as tape are never suitable storage choices for Splunkoperations.

Reference hardware

When sizing your Splunk environment's hardware needs, a reference machinehelps you understand when it is time to scale and distribute the deployment.Following is an example of such a machine. Refer to this configuration as thestandard for the remainder of this chapter.

The reference machine described below produces the following index and searchperformance metrics for a given sample of data:

Indexing performance

Up to 5.8 megabytes per second (500 GB per day) of raw indexingperformance, provided no other Splunk activity is occurring.

•

Search performance

Up to 50,000 events per second for dense searches• Up to 5,000 events per second for sparse searches• Up to 2 seconds per index bucket for super-sparse searches• From 10 to 50 buckets per second for rare searches with bloom filters•

To find out more about the types of searches and how they affect Splunkperformance, read "How search types affect Splunk performance" in this manual.

27

Bare-metal hardware

Intel x86 64-bit chip architecture• 2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core• 12 GB RAM• Standard 1 Gb Ethernet NIC, optional 2nd NIC for a management network• Standard 64-bit Linux or Windows distribution•

Disk subsystem

The reference computer's disk subsystem should be capable of handling a highnumber of averaged Input/Output Operations Per Second (IOPS).

IOPS are a measurement of how much data throughput a hard drive canproduce. Since a hard drive reads and writes at different speeds, there are IOPSnumbers for disk reads and writes. The average IOPS is the blend betweenthose two figures.

The more average IOPS a hard drive can produce, the more data it can indexand search in a given period of time. While many variable items factor into theamount of IOPS that a hard drive can produce, the three most importantelements are:

its rotational speed (in revolutions per minute)• its average latency (the amount of time it takes to spin its platters half arotation)

•

its average seek time (the amount of time it takes to retrieve a requestedblock of data.)

•

To get the most IOPS out of a hard drive, always choose those drives that havehigh rotational speeds and low average latency and seek times. Every drivemanufacturer provides this information (and some provide much more).

For additional information on IOPS and how to calculate them, review thefollowing articles:

"Getting the hang of IOPS(http://www.symantec.com/connect/articles/getting-hang-iops-v13) onSymantec's Connect Community.

•

"Analyzing I/O performance in Linux(http://www.cmdln.org/2010/04/22/analyzing-io-performance-in-linux) onCMDLN.ORG (A sysadmin blog).

•

28

For this application, we use eight 146-gigabyte, 15,000 RPM serial-attachedSCSI (SAS) HDs in a Redundant Array of Independent Disks (RAID) 1+0 faulttolerance scheme as the disk subsystem. Each hard drive is capable of about200 average IOPS. The combined array produces a little over 800 IOPS.

Important: Splunk is often constrained by disk I/O first, so always consider diskinfrastructure first when specifying your hardware.

Virtual hardware

Splunk performs fastest when deployed directly on to bare-metal hardware, asdescribed above. However, Splunk can and does deliver on virtual equipment.What's more, we fully support deploying Splunk on virtual hardware.

Using the bare metal hardware as a baseline, Splunk generally indexes dataabout 30% slower on a virtual machine (VM) than it does on a standard referencemachine. Search performance is on par with the real-world hardware.

This is a best-case scenario that does not account for resource contention withother active VMs on the same physical server. It also does not take into accountcertain vendor-specific I/O enhancement techniques (such as Direct I/O or RawDevice Mapping).

Splunk in the cloud

While you can run Splunk in the cloud, there are various concerns that you mustbe aware of when doing so. In addition to the security concerns of runningSplunk in a public cloud, you must also note that performance degradessignificantly compared to bare-metal hardware. Using that benchmark as abaseline again, Splunk indexing performance on a cloud-based computer isroughly half that of a real one. Searching suffers, too - results return anywherefrom 15 to 20 percent slower than on a physical machine.

Performance questionnaire

Overview

This topic helps you make the choice on whether or not to distribute your Splunkdeployment.

29

This questionnaire is for a single-server Splunk deployment based on thereference architecture described in "Reference hardware."

Determine when to scale your Splunk deployment

Before you consider whether or not to scale, estimate how much data you needto index, and whether or not you need more than one concurrent Splunk user tosearch that data.

Depending on how much data you index and how many concurrent users yourequire, you might need to scale your environment to multiple machines. Even ifyour indexing amount and user count falls within the capabilities of a singleserver, you might have to distribute your deployment based on the types ofsearches you employ, and whether or not you use summary indexes.

If you want to run a Splunk app or solution in your Splunk environment, or youcreate elements that generate a large number of saved searches, you mighthave to distribute Splunk components across a number of machines.

Question 1: Do you want to create or run a Splunk app, alert or solutionthat executes a large number of saved searches (more than 8concurrently)?

A saved search is a search that a user saves to make available for later use. Thenumber of saved searches - especially those run concurrently - directly impacts aSplunk server's performance. If you answered "NO" to this question, thenproceed to Question 2. You don't need to consider scaling your Splunkdeployment to multiple machines just yet.

However, if you answered "YES" then you should scale your Splunk deploymentto multiple machines. Review detailed information on hardware capacity planningfor distributed Splunk deployments in "Hardware capacity planning for adistributed Splunk Deployment" in the Distributed Deployment Manual.

Question 2: Do you need to index more than 2 GB of data per day?

Question 3: Do you need more than 2 users signed in at one time?

If the answer to both questions is "NO" then your Splunk instance can safelyshare one of the reference servers with other services, with the caveat thatSplunk must have sufficient disk I/O bandwidth on the shared machine.

If you answered "YES" to either question then proceed to Question 4.

30

Note: If you are deploying Splunk on Windows, you must not share full Splunkservices on servers that run Microsoft Exchange, Active Directory domainservices, or machine virtualization software. This is because those services areoften very disk I/O intensive, and can dramatically reduce indexing and searchperformance. Additionally, you must ensure that any anti-virus software installedon the server does not scan the Splunk installation directory.

Question 4: Do you need to index more than 100 GB per day?

Question 5: Do you need more than 4 concurrent users?

If the answer to both questions is "NO" then a single dedicated Splunk server ofour reference architecture should be able to handle your workload.

Question 6: Do you need more than 500GB of total storage?

Read "How Splunk calculates disk storage" to learn how Splunk calculates diskstorage.

If the answer to this question is "NO" then a single dedicated reference Splunkserver should be able to handle your workload, but you might need to add faststorage to the system to account for the increased space usage.

If the answer to this question is "YES" then you should consider scaling yourdeployment to additional indexers to cope with the increased demand of indexingand searching.

Question 7: Do you need to search large quantities of data for a small set(less than 1 per cent) of results?

Searches that cover large quantities of data and return small sets of results areknown as super-sparse searches. These searches require lots of disk I/Obecause the indexer must search a number of buckets to find the data you'relooking for.

If the answer to this question is "NO" then you probably do not need to scaleyour deployment. However, adding additional indexers does improve bothindexing and search performance.

If the answer to this question is "YES" then you should definitely consider scalingyour deployment up. Read the following section to determine how Splunkcalculates storage.

31

Summary of performance recommendations

This topic summarizes the performance recommendations that were given in theperformance questionnaire. The table below shows the amount of referenceservers that are required to index and search data in Splunk, depending on thenumber of concurrent users and amounts of data that the instance indexes.

As a reminder, the reference hardware is:

Intel x86 64-bit chip architecture• 2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core• 12 GB RAM• Disk subsystem capable of producing 800 IOPS• Standard 1Gb Ethernet NIC, optional 2nd NIC for a management network• Standard 64-bit Linux or Windows distribution•

For additional information about the reference server, read "Reference hardware"in this manual.

Important: The figures shown in the table below only account for the referenceserver in question performing a single task, such as either indexing or searching.If a server is performing both actions at the same time, performance can anddoes degrade depending on the amount of indexing and searching happening atthe time. The figures shown here are approximate guidelines only.

If you run Splunk apps, have higher indexing volumes, employ multiple orI/O-heavy searches, or need more concurrent users than this table shows, thenyou should scale your deployment as described in "Hardware capacity planningfor a distributed Splunk deployment" in the Distributed Deployment Manual.

If you need more guidance, contact Splunk.

DailyIndexingVolume

Number ofConcurrent Search

Users

RecommendedIndexers

RecommendedSearch Heads

< 2 GB/day < 2 1, shared N/A

2 GB/day to100 GB/day up to 4 1, dedicated N/A

100 GB/day to200 GB/day up to 8 2 1

32

Note: For indexing requirements greater than 100 GB per day, or for additionalconcurrent users, review the hardware capacity requirements in the DistributedDeployment Manual.

Answers

Have questions? Visit Splunk Answers to see what questions and answers otherSplunk users had about hardware and Splunk.

33

Install Splunk Enterprise on Windows

Choose the Windows user Splunk should run as

This topic discusses the steps you should take to choose which Windows userSplunk should run as when you install Splunk on Windows.

When you run the Splunk Windows installer, it presents you with the option toselect the user that Splunk should run as. Splunk strongly recommends you readthis topic before installing in order to understand the ramifications of choosing theuser type.

This topic applies to all versions of Splunk, including Splunk Enterprise and theSplunk universal forwarder. It applies to installing Splunk on Windows only.

The Splunk user you choose depends on what you wantSplunk to monitor

The user Splunk runs as determines what it can monitor. The Local System userhas access to all data on the local machine, but nothing else. A user other thanLocal System has access to whatever data you want it to, but you must give theuser that access prior to installing Splunk.

If you already know that the computer you're installing Splunk on will notaccess remote Windows data then you can proceed directly to "Install onWindows" in this manual (or, if you want to install using the command prompt,"Install on Windows via the command line.")

If there is a possibility that you will need to access remote Windows data,or you are not sure, then read on - this topic contains important informationabout the user you should install Splunk as.

About the "Local System user" and "other user" choices

The basics

The Windows Splunk installer provides two ways to install Splunk: as the "LocalSystem" user, or as another existing user on your Windows computer or network,which you designate.

34

If you intend to do any of the following with Splunk, then you must install Splunkas an "other user":

read Event Logs remotely• collect performance counters remotely• read network shares for log files• enumerate the Active Directory schema using Active Directory monitoring•

Note: This is not an all-inclusive list.

The user that you specify must, at a minimum:

Be a member of the Active Directory domain or forest you wish to monitor(when using AD).

•

Be a member of the local Administrators group on the server you'reinstalling Splunk on.

•

Have specific user security rights assigned to it prior to installing Splunk.Read "Minimum permissions requirements" later in this topic for specificinformation.

•

Caution: If the Splunk user does not have these minimum requirementssatisfied, Splunk installation might fail. In this case, even if Splunk installationsucceeds, Splunk might not run correctly, or at all.

The Splunk user also has unique password constraints - read "Splunk useraccounts and password concerns" later in this topic for specifics.

If you're not sure which user Splunk should run as, then review "Considerationsfor deciding how to monitor remote Windows data" in the Getting Data In Manualfor additional information on how to configure the Splunk user with the access itneeds.

Splunk user accounts and password concerns

Another important issue that arises when you install Splunk with a user accountis that any active password enforcement policy controls the password's validity. Ifyour network enforces password changes, you must consider these things:

Before the password expires, change it, reconfigure Splunk services onevery machine to use the changed password, and then restart Splunk.

•

Configure the account so that its password never expires.• Use a managed service account (read "Use managed service accounts onWindows Server 2008 and Windows 7" later in this topic).

•

35

Use managed service accounts on Windows Server 2008, Windows Server2012 and Windows 7

If you run Windows Server 2008, Windows Server 2008 R2, Windows Server2012, or Windows 7 in Active Directory, and your AD domain has at least oneWindows Server 2008 R2 or Server 2012 domain controller, you can installSplunk to run as a managed service account (MSA).

The major benefits of using a MSA are:

Increased security from the isolation of accounts for services.• Administrators no longer need to manage the credentials or administer theaccounts. This means that, among other things, passwords automaticallychange after they expire, and you do not have to manually set passwordsor restart services associated with these accounts.

•

Administrators can delegate the administration of these accounts tonon-administrators.

•

Some important things to understand before installing Splunk with a MSA are:

The MSA requires the same permissions as a domain account on themachine that runs Splunk.

•

The MSA must be a local administrator on the machine that runs Splunk.• You cannot use the same account on different computers, as you wouldwith a domain account.

•

You must correctly configure and install the MSA on the machine that runsSplunk before you install Splunk on the machine. For information andinstructions on how to do this, review "Service Accounts Step-by-StepGuide"(http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx)on MS Technet.

•

To install Splunk using a MSA, read "Prepare your Windows network for a Splunkinstallation as a network or domain user" in this manual.

Security and remote access considerations

Minimum permissions requirements

If you choose to install Splunk as a domain user, then there are a minimumnumber of permissions required on the server that runs Splunk.

36

The following is a list of the minimum user rights and permissions that thesplunkd, splunkweb, and splunkforwarder services require when Splunk isinstalled using a domain user. Depending on the sources of data you want tomonitor, the Splunk user might need a significant amount of additionalpermissions.

Required basic permissions for the splunkd or splunkforwarder services

Full control over Splunk's installation directory• Read access to any flat files you want to index•

Required Local/Domain Security Policy user rights assignments for the splunkd orsplunkforwarder services

Permission to log on as a service• Permission to log on as a batch job• Permission to replace a process-level token• Permission to act as part of the operating system• Permission to bypass traverse checking•

Important: Failure to assign these permissions to the Splunk user prior toinstallation can result in a failed Splunk install, or an installation which does notfunction correctly, or at all.

Required basic permissions for the splunkweb service

Full control over Splunk's installation directory•

Required Local/Domain Security Policy user rights assignments for the splunkwebservice

Permission to log on as a service•

Note: Splunk does not require these permissions when it runs as the LocalSystem account.

How to assign these permissions

This section contains high-level concepts on how to assign the appropriate userrights and permissions to the Splunk service account before attempting to install.For step-by-step instructions, read "Prepare your Windows network for a Splunkinstallation as a network or domain user" in this manual.

37

Use Group Policy to assign rights to multiple machines

If you want to assign the policy settings shown above to a number ofworkstations and servers in your AD domain or forest, you can define a GroupPolicy object (GPO) with these specific rights, and deploy that GPO across thedomain. Read "Prepare your Active Directory to run Splunk services as a domainaccount" in this manual for specific instructions.

Once you've created and enabled the GPO, the workstations and servers in yourdomain will pick up the changes either during the next scheduled AD replicationcycle (usually every 1 1/2 to 2 hours) or at the next boot time. Alternatively, youcan force AD replication using the GPUPDATE command line utility on the server onwhich you want to update Group Policy.

When setting user rights, remember that rights assigned by a GPO overrideidentical Local Security Policy rights on a machine, and you can't change thissetting. If you wish to retain previously existing rights that are explicitly definedthrough Local Security Policy on a machine, you must also assign these rightswithin the GPO.

Troubleshoot permissions issues

The rights described above are the rights that the splunkd, splunkweb, andsplunkforwarder services specifically require. Other rights might be needed,depending on your usage and what data you want to access. Additionally, manyuser rights assignments and other Group Policy restrictions can prevent Splunkfrom running. If you have issues, consider using a tool such as Process Monitoror GPRESULT to troubleshoot GPO application in your environment.

Prepare your Windows network for a Splunkinstallation as a network or domain user

The following procedures detail the steps you must take to prepare yourWindows network to allow for Splunk installation as a network or domain userother than the "Local System" user.

Important: Do not perform these instructions if you plan to install SplunkEnterprise or universal forwarder as the "Local System" user.

The instructions shown here have been tested for Windows Server 2008 R2 andWindows Server 2012, and might differ slightly for other versions of Windows.

38

Caution: These instructions require full administrative access to thecomputer and/or Active Directory domain you want to prepare for Splunkoperations. Do not attempt to perform this procedure without this access.

Additionally, the rights you assign using these instructions are the minimumrights required for a successful Splunk installation. You might need to assignadditional rights, either within the Local Security Policy or Group Policy object(GPO), or to the user and group accounts you create, in order for Splunk toaccess the data you want.

Prepare Active Directory for Splunk installation as a domainuser

The following instructions guide you through preparing your Active Directory toallow for installations of Splunk Enterprise or the Splunk universal forwarder as adomain account.

Splunk recommends that you follow Microsoft's Best Practices(http://technet.microsoft.com/en-us/library/bb727085.aspx) when creating usersand groups. This typically involves creating a specific Organizational Unit forgroups within the organization.

These instructions assume the following:

You are running Active Directory.• You are a domain administrator for the AD domain(s) you want toconfigure.

•

The computer(s) you plan to install Splunk on are members of the ADdomain.

•

Create groups

1. Run the Active Directory Users and Computers tool by selecting Start >Administrative Tools > Active Directory Users and Computers.

2. Once the program loads, select the domain that you want to prepare forSplunk operations.

3. Double-click an existing appropriate container folder to open it, or create a newOrganization Unit by selecting New > Group from the Action menu.

4. From the Action menu, select New > Group.

39

5. In the dialog that appears, type in a name that represents Splunk useraccounts, for example, "Splunk Accounts".

Ensure that the Group scope is set to Domain Local, and Group type isset to Security.

6. Click OK to create the group.

7. Create a second group and specify a name that represents Splunk-enabledcomputers, for example, "Splunk Enabled Computers". This group will containcomputer accounts that get assigned the appropriate permissions to run Splunkas a domain user.

Ensure that the Group scope is set to Domain Local, and Group type isset to Security.

Assign users and computers to groups

If you have not already created the user account(s) that you want to use to runSplunk, now is a good time to do so. Be sure to follow Microsoft's Best Practicesfor creating users and groups if you do not have your own internal policy.

Once you have created the user account(s), add the account(s) to the SplunkAccounts group, and add the computer accounts of the computers that will runSplunk to the Splunk Enabled Computers group.

After you have done this, you can exit Active Directory Users and Computers.

Define a Group Policy object (GPO)

1. Run the Group Policy Management Console (GPMC) tool by selecting Start> Administrative Tools > Group Policy Management.

2. In the tree view pane on the left, select Domains.

3. Click the Group Policy Objects folder.

4. In the Group Policy Objects in <your domain> folder, right-click and selectNew from the menu that pops up.

5. In the New GPO dialog, type in a name that represents the fact that the GPOwill assign user rights to the servers you apply it to, for example, "SplunkAccess."

40

Leave the Source Starter GPO field set to "(none)".

6. Click OK to save the GPO.

Add rights to the GPO

1. While still in the GPMC, right-click on the newly created group policy objectand select Edit from the pop-up menu that appears.

2. In the Group Policy Management Editor that appears, in the left pane,browse to Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Local Policies -> User Rights Assignment.

a. In the right pane, double-click on the Act as part of the operatingsystem entry.

b. In the window that opens, check the Define these policy settingscheckbox.

c. Click Add User or Group?

d. In the dialog that opens, click Browse?

e. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Accounts" group youcreated earlier, then click Check Names?

Windows underlines the name if it is valid. Otherwise it tells youthat it cannot find the object and prompts you for an object nameagain.

f. Click OK to close the "Select Users?" dialog.

g. Click OK again to close the "Add User or Group" dialog.

h. Click OK again to close the rights properties dialog.

3. Repeat Steps 2a-2h for the following additional rights:

Bypass traverse checking• Log on as a batch job• Log on as a service• Replace a process-level token•

41

4. While still in the Group Policy Management Editor window, in the left pane,browse to Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Restricted Groups.

a. In the right pane, right-click and select Add Group? in the pop-up menuthat appears.

b. In the dialog that appears, type in Administrators and click OK.

c. In the properties dialog that appears, click the Add button next toMembers of this group:.

d. In the Add Member dialog that appears, click Browse?"

e. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Accounts" group youcreated earlier, then click Check Names?


f. Click OK to close the Select Users? dialog.

g. Click OK again to close the "Add User or Group" dialog.

h. Click OK again to close the group properties dialog.

5. Close the Group Policy Management Editor window to save the GPO.

Restrict GPO application to select computers

1. While still in the GPMC, in the GPMC's left pane, select the GPO you createdand added rights to, if it is not already selected.

GPMC displays information about the GPO in the right pane.

2. In the right pane, under Security Filtering, click Add?

3. In the Select User, Computer, or Group dialog that appears, type in "SplunkEnabled Computers" (or the name of the group that represents Splunk-enabledcomputers that you created earlier.)

42

4. Click Check Names. If the group is valid, Windows underlines the name.Otherwise, it tells you it cannot find the object and prompts you for an objectname again.

5. Click OK to return to the GPO information window.

6. Repeat Steps 2-5 to add the "Splunk Users" group (the group that representsSplunk user accounts that you created earlier.)

7. Under Security Filtering, click the Authenticated Users entry to highlight it.

8. Click Remove.

GPMC removes the "Authenticated Users" entry from the "SecurityFiltering" field, leaving only "Splunk Users" and "Splunk EnabledComputers."

Apply the GPO

1. While still in the GPMC, in the GPMC's left pane, select the domain that youwant to apply the GPO you created.

2. Right click on the domain, and select Link an Existing GPO? in the menu thatpops up.

3. In the Select GPO dialog that appears, select the GPO you created andedited, and click OK. GPMC applies the GPO to the selected domain.

4. Close GPMC by selecting File > Exit from the GPMC menu.

Note: Active Directory controls when Group Policy updates occur and GPOs getapplied to computers in the domain. Typically, replication happens every 90-120minutes. You must wait this amount of time before attempting to install Splunk asa domain user. Alternatively, you can force a Group Policy update by runningGPUPDATE /FORCE from a command prompt on the computer on which you want toupdate Group Policy.

Install Splunk with a managed system account

Alternatively, you can install Splunk with a managed system account. Followthese instructions to do so:

1. Create and configure the MSA that you plan to use to monitor Windows data.

43

Note: You can use the instructions in "Prepare your Active Directory to runSplunk services as a domain account" earlier in this topic to assign the MSA theappropriate security policy rights and group memberships.

2. Install Splunk from the command line as the "Local System" user.

Important: You must install Splunk from the command line and use theLAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed.

3. After installation is complete, use the Windows Explorer or the ICACLScommand line utility to grant the MSA "Full Control" permissions to the Splunkinstallation directory and all its sub-directories.

Note: You might need to break NTFS permission inheritance from parentdirectories above the Splunk installation directory and explicitly assignpermissions from that directory and all subdirectories.

4. Follow the instructions in the topic "Correct the user selected during Windowsinstallation" in this manual to change the default user for Splunk's serviceaccount. In this instance, the correct user is the MSA you configured prior toinstalling Splunk.

Important: You must append a dollar sign ($) to the end of the username whencompleting Step 4 in order for the MSA to work properly. For example, if the MSAis SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in theappropriate field in the properties dialog for the service. You must do this for boththe splunkd and splunkweb services.

5. Confirm that the MSA has the "Log on as a service" right.

Note: If you use the Services control panel to make the service accountchanges, Windows grants this right to the MSA automatically.

6. Start Splunk. Splunk will run as the MSA configured above, and will haveaccess to all data that the MSA has access to.

Prepare a local machine or non-AD network for Splunkinstallation

If you are not using Active Directory, follow these instructions to giveadministrative access to the user you want Splunk to run as on the computersyou want to install Splunk on.

44

1. Give the user Splunk should run as administrator rights by adding the user tothe local Administrators group.

2. Start Local Security Policy by selecting Start > Administrative Tools > LocalSecurity Policy.

Local Security Policy launches and displays the local security settings.

3. In the left pane, expand Local Policies and then click User RightsAssignment.

a. In the right pane, double-click on the Act as part of the operatingsystem entry.

b. Click Add User or Group?

c. In the dialog that opens, click Browse?

d. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Computers" group youcreated earlier, then click Check Names...


e. Click OK to close the "Select Users?" dialog.

f. Click OK again to close the "Add User or Group" dialog.

g. Click OK again to close the rights properties dialog.

4. Repeat Steps 3a-3g for the following additional rights:

Bypass traverse checking• Log on as a batch job• Log on as a service• Replace a process-level token•

Once you have completed these steps, you can then install Splunk as thedesired user.

45

Install on Windows

This topic describes the procedure for installing Splunk on Windows with theGraphical User Interface (GUI)-based installer. More options (such as silentinstallation) are available if you install from the command line.

Important: Running the 32-bit version of Splunk for Windows on a 64-bitWindows system is not recommended. If you attempt to run the 32-bit installer ona 64-bit system, the installer will warn you of this.

We strongly recommend that you run 64-bit Splunk on 64-bit hardware. Theperformance is greatly improved over the 32-bit version.

Note: If you want to install the Splunk universal forwarder, see the ForwardingData manual: "Universal forwarder deployment overview". Unlike Splunk heavyand light forwarders, which are full Splunk instances with some featureschanged or disabled, the universal forwarder is an entirely separate executable,with its own set of installation procedures. For an introduction to forwarders, see"About forwarding and receiving", also in the Forwarding Data Manual.

Upgrading?

If you are upgrading Splunk Enterprise, review "How to upgrade Splunk" forinstructions and migration considerations before proceeding.

In particular, be aware that Splunk does not support changing the managementor HTTP ports during an upgrade.

Before you install


Before installing, be sure to read "Choose the Windows user Splunk should runas" to determine which user account Splunk should run as to address yourspecific needs. The user you choose has specific ramifications on what you needto do prior to installing the software, and more details can be found there.

Splunk for Windows and anti-virus software

Splunk's indexing subsystem requires lots of disk throughput. Any software with adevice driver that intermediates between Splunk and the operating system canrob Splunk of processing power, causing slowness and even an unresponsive

46

system. This includes anti-virus software.

It's extremely important to configure such software to avoid on-access scanningof Splunk installation directories and processes, before starting a Splunkinstallation.

Install Splunk via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The installer runs and displays the Welcome panel.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, orCancel to cancel the installation and quit the installer.

The installer displays the licensing panel.

3. Read the licensing agreement and select "I accept the terms in the licenseagreement". Click Next to continue installing.

The installer displays the Destination Folder panel.

Note: By default, Splunk gets installed into \Program Files\Splunk on thesystem drive. Splunk's installation directory is referred to as $SPLUNK_HOME or%SPLUNK_HOME% throughout this documentation set.

4. Click Change... to specify a different location to install Splunk, or click Next toaccept the default value.

The installer displays the Logon Information panel.

Splunk installs and runs two Windows services, splunkd and splunkweb. Theseservices install and run as the user you specify on this panel. You can choose torun Splunk as the Local System user, or another user.

Important: If you choose to run Splunk as another user, that user must:

Be a member of an Active Directory domain (you cannot install Splunk asa local machine account other than the Local System account)

•

47

Have local administrator privileges on the machine which you areperforming the installation, and

•

Have specific user rights, and other additional permissions, depending onthe kinds of data you want to collect from remote machines.

•

Read "Choose the Windows user Splunk should run as" for additional informationon these permissions and rights requirements.

If you have not read the above linked topic beforehand, then stop theinstallation now and read that topic first.

5. Select a user type and click Next.

If you selected the Local System user, proceed to Step 7. Otherwise, the installerdisplays the Logon Information: specify a username and password panel.

6. Specify a username and password to install and run Splunk and click Next.

Note: This must be a valid user in your security context, and must be an activemember of an Active Directory domain. Splunk cannot start without a validusername and password, nor can it start with a machine account that is not theLocal System account.

The installer displays the installation summary panel.

7. Click Install to proceed.

The installer runs and displays the Installation Complete panel.

Caution: If you specified the wrong user during the installation procedure, youwill see two pop-up error windows explaining this. If this occurs, Splunk installsitself as the local system user by default. Splunk does not start automatically inthis situation. You can proceed through the final panel of the installation, butuncheck the "Launch browser with Splunk" checkbox to prevent your browserfrom launching. Then, use these instructions to switch to the correct user beforestarting Splunk.

8. If desired, check the boxes to Launch browser with Splunk and Create StartMenu Shortcut now. Click Finish.

The installation completes, Splunk starts, and Splunk Web launches in asupported browser if you checked the appropriate box.

48

Note: The first time you access Splunk Web after installation, login with thedefault username admin and password changeme. Do not use the username andpassword you provided during the installation process.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

Click the Splunk icon in Start > Programs > Splunk•

or

Open a Web browser and navigate to http://localhost:8000.•

Log in using the default credentials: username: admin and password: changeme.

The first time you log into Splunk successfully, you'll be prompted right away tochange your password. You can do so by entering a new password and clickingthe Change password button, or you can do it later by clicking the Skip button.

Note: If you do not change your password, remember that anyone who hasaccess to the machine can access your Splunk instance. Be sure to change theadmin password as soon as possible and make a note of what you changed it to.

Avoid IE Enhanced Security pop-ups

If you're using Internet Explorer to access Splunk, add the following URLs to theallowed Intranet group or fully trusted group to avoid getting "Enhanced Security"pop-ups:

quickdraw.splunk.com• the URL of your Splunk instance•

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port,you can change the defaults.

To change the splunk web service port:

Open a command prompt.• Change to the %SPLUNK_HOME%\bin directory.• Type in splunk set web-port #### and press Enter.•

49

To change the splunkd port:

Open a command prompt, if one isn't already.• Change to the %SPLUNK_HOME%\bin directory.• Type in splunk set splunkd-port #### and press Enter.•

Note: If you specify a port and that port is not available, or if the default port isunavailable, Splunk will automatically select the next available port.

Install or upgrade license

If you are performing a new installation of Splunk or switching from one licensetype to another, you must install or update your license.

What's next?

Now that you've installed Splunk, you can find out what comes next, or you canreview these topics in the Getting Data In Manual for information on addingWindows data to Splunk:

Monitor Windows Event Log data• Monitor Windows Registry data• Monitor WMI-based data• Considerations for deciding how to monitor remote Windows data.•

Install on Windows via the command line

This topic describes the procedure for installing Splunk on Windows from thecommand line. Before installing, be sure to read "Choose the Windows userSplunk should run as" to determine which user account Splunk should run as toaddress your specific needs.

Important: Running the 32-bit version of Splunk for Windows on a 64-bitWindows system is not recommended. If you run the 32-bit installer on a 64-bitsystem, the installer will warn you about this.

We strongly recommend that you run 64-bit Splunk on 64-bit hardware. Theperformance is greatly improved over the 32-bit version.

Note: If you want to install the Splunk universal forwarder, see the ForwardingData manual: "Universal forwarder deployment overview". Unlike Splunk heavy

50

and light forwarders, which are full Splunk instances with some featureschanged or disabled, the universal forwarder is an entirely separate executable,with its own set of installation procedures. For an introduction to forwarders, see"About forwarding and receiving", also in the Forwarding Data Manual.

When to install from the command line?

You can manually install Splunk on individual machines from a command promptor PowerShell window. Here are some scenarios where installing from thecommand line is useful:

You want to install Splunk, but don't want it to start right away.• You want to automate installation of Splunk with a script.• You want to install Splunk on a system that you will clone later.• You want to use a deployment tool such as Group Policy or SystemCenter Configuration Manager.

•

Upgrading?

If you are upgrading, review "How to upgrade Splunk" for instructions andmigration considerations before proceeding.

In particular, be aware that Splunk does not support changing the managementor HTTP ports during an upgrade.

Before you install


Before installing, be sure to read "Choose the Windows user Splunk should runas" to determine which user account Splunk should run as to address yourspecific data collection needs. The user you choose has specific ramifications onwhat you need to do prior to installing the software, and more details can befound there.

Splunk for Windows and anti-virus software

Splunk's indexing subsystem requires lots of disk throughput. Anti-virus software- or any software with a device driver that intermediates between Splunk and theoperating system - can rob Splunk of processing power, causing slowness andeven an unresponsive system.

51

It's extremely important to configure such software to avoid on-access scanningof Splunk installation directories and processes, before starting a Splunkinstallation.

Install Splunk from the command line

You can install Splunk from the command line by invoking msiexec.exe.

For 32-bit platforms, use splunk-<...>-x86-release.msi:

msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]

For 64-bit platforms, use splunku-<...>-x64-release.msi:

msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]

The value of <...> varies according to the particular release; for example,splunk-5.0-125454-x64-release.msi.

Command line flags allow you to configure Splunk at installation time. Usingcommand line flags, you can specify a number of settings, including:

Which Windows event logs to index.• Which Windows Registry hive(s) to monitor.• Which Windows Management Instrumentation (WMI) data to collect.• The user Splunk runs as (Important: Read "Choose the Windows userSplunk should run as" for information on what type of user you shouldinstall your Splunk instance with.)

•

An included application configuration for Splunk to enable (such as theSplunk light forwarder.)

•

Whether or not Splunk should start up automatically when the installationis completed.

•

Note: The first time you access Splunk Web after installation, log in with thedefault username admin and password changeme.

Supported flags

The following is a list of the flags you can use when installing Splunk forWindows via the command line.

52

Important: The Splunk universal forwarder is a separate executable, with its owninstallation flags. Review the supported installation flags for the universalforwarder in "Deploy a Windows universal forwarder from the command line" inthe Forwarding Data manual.

Flag What it's for Default

AGREETOLICENSE=Yes|NoUse this flag to agree to the EULA. Thisflag must be set to Yes for a silentinstallation.

No

INSTALLDIR="<directory_path>"

Use this flag to specify directory toinstall. Splunk's installation directory isreferred to as $SPLUNK_HOME or%SPLUNK_HOME% throughout thisdocumentation set.

C:\ProgramFiles\Splunk

SPLUNKD_PORT=<port number>

Use these flags to specify alternateports for splunkd and splunkweb to use.

Note: If you specify a port and that portis not available, Splunk willautomatically select the next availableport.

8089

WEB_PORT=<port number>

Use these flags to specify alternateports for splunkd and splunkweb to use.

Note: If you specify a port and that portis not available, Splunk willautomatically select the next availableport.

8000

WINEVENTLOG_APP_ENABLE=1/0

WINEVENTLOG_SEC_ENABLE=1/0

WINEVENTLOG_SYS_ENABLE=1/0

WINEVENTLOG_FWD_ENABLE=1/0

WINEVENTLOG_SET_ENABLE=1/0

Use these flags to specify whether ornot Splunk should index a particularWindows event log:

Application log

Security log

System log

Forwarder log

Setup log

0 (off)

53

Note: You can specify multiple flags.

REGISTRYCHECK_U=1/0

REGISTRYCHECK_BASELINE_U=1/0

Use this flag to specify whether or notSplunk should

index events from

capture a baseline snapshot of

the Windows Registry user hive(HKEY_CURRENT_USER).

Note: You can set both of these at thesame time.

0 (off)

REGISTRYCHECK_LM=1/0

REGISTRYCHECK_BASELINE_LM=1/0

Use this flag to specify whether or notSplunk should

index events from

capture a baseline snapshot of

the Windows Registry machine hive(HKEY_LOCAL_MACHINE).

Note: You can set both of these at thesame time.

0 (off)

WMICHECK_CPUTIME=1/0

WMICHECK_LOCALDISK=1/0

WMICHECK_FREEDISK=1/0

WMICHECK_MEMORY=1/0

Use these flags to specify whichpopular WMI-based performancemetrics Splunk should index:

CPU usage

Local disk usage

Free disk space

Memory statistics

Caution: If you need this instance ofSplunk to monitor remote Windowsdata, then you must also specify theLOGON_USERNAME and LOGON_PASSWORD

0 (off)

54

installation flags. Splunk can not collectany remote data that it does not haveexplicit access to. Additionally, the useryou specify requires specific rights,administrative privileges, and additionalpermissions, which you must configurebefore installation. Read "Choose theWindows user Splunk should run as" inthis manual for additional informationabout the required credentials.

There are many more WMI-basedmetrics that Splunk can index. Review"Monitor WMI Data" in the Getting DataIn Manual for specific information.

LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Use these flags to providedomain\username and passwordinformation for the user that Splunk willrun as. The splunkd and splunkwebservices are configured with thesecredentials. For the LOGON_USERNAMEflag, you must specify the domain withthe username in the format"domain\username."

These flags are required if you wantthis Splunk installation to monitor anyremote data. Review "Choose theWindows user Splunk should run as" inthis manual for additional informationabout which credentials to use.

none

SPLUNK_APP="<SplunkApp>" Use this flag to specify an includedSplunk application configuration toenable for this installation of Splunk.Currently supported options for<SplunkApp> are:SplunkLightForwarder andSplunkForwarder. These specify thatthis instance of Splunk will function as alight forwarder or heavy forwarder,respectively. Refer to the "Aboutforwarding and receiving" topic in the

none

55

Forwarding Data manual for moreinformation.

Important: The full version of Splunkdoes not enable the universalforwarder. The universal forwarder is aseparate downloadable executable,with its own installation flags.

Note: If you specify either the Splunkforwarder or light forwarder here, youmust also specifyFORWARD_SERVER="<server:port>".

To install Splunk with no applications atall, simply omit this flag.

FORWARD_SERVER="<server:port>"

Use this flag *only* when you are alsousing the SPLUNK_APP flag to enableeither the Splunk heavy or lightforwarder. Specify the server and portof the Splunk server to which thisforwarder will send data.

Important: This flag requires that theSPLUNK_APP flag also be set.

none

DEPLOYMENT_SERVER="<host:port>"

Use this flag to specify a deploymentserver for pushing configurationupdates. Enter the deployment server'sname (hostname or IP address) andport.

none

LAUNCHSPLUNK=0/1

Use this flag to specify whether or notSplunk should start up automatically onsystem boot.

Important: If you enable the SplunkForwarder by using the SPLUNK_APP flag,the installer configures Splunk to startautomatically, and ignores this flag.

1 (on)

INSTALL_SHORTCUT=0/1 Use this flag to specify whether or notthe installer should create a shortcut toSplunk on the desktop and in the Start

1 (on)

56

Menu.

Silent installation

To run the installation silently, add /quiet to the end of your installationcommand string. If your system is running UAC (which is sometimes on bydefault) you must run the installation as Administrator. To do this: when openinga cmd prompt, right click and select "Run As Administrator". Then use this cmdwindow to run the silent install command.

Examples

The following are some examples of using different flags.

Silently install Splunk to run as the Local System user

msiexec.exe /i Splunk.msi /quiet

Enable SplunkForwarder and specify credentials for the user Splunk willrun as

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk"LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, enable indexing of the Windows System eventlog, and run the installer in silent mode

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet

Where "<server:port>" are the server and port of the Splunk server to whichthis machine should send data.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

Click the Splunk icon in Start>Programs>Splunk•

or

Open a Web browser and navigate to http://localhost:8000.•

57

Log in using the default credentials: username: admin and password: changeme .Be sure to change the admin password as soon as possible and make a note ofwhat you changed it to.

Now that you've installed Splunk, you can find out what comes next.

Avoid IE Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowedIntranet group or fully trusted group in IE:

quickdraw.splunk.com• the URL of your Splunk instance•

Install or upgrade license

If you are performing a new installation of Splunk or switching from one licensetype to another, you must install or update your license.

What's next?

Now that you've installed Splunk, what comes next?

You can also review this topic about considerations for deciding how to monitorWindows data in the Getting Data In manual.

Correct the user selected during Windowsinstallation

If you have selected "other user" during the Windows GUI installation, and thatuser does not exist or perhaps you mistyped the information, you can go into theWindows Service Control Manager and specify the correct information, as longas you have not started Splunk yet. If you have started Splunk, you must stopit, uninstall it and reinstall it.

If you specified an invalid user during the Windows GUI installation process, youwill see two popup error windows.

To change the user:

58

1. In Control Panel > Administrative Tools > Services, find the splunkd andsplunkweb services. You'll notice that they are not started and are currentlyowned by the Local System User.

2. Right click on each service and choose Properties. The properties dialog forthat service is displayed.

3. Select the Log On tab.

4. Select the This account radio button and fill in the correct domain\usernameand password.

5. Click Apply.

6. Click OK.

7. Repeat Steps 2 through 6 for the second service (you must do this for bothsplunkd and splunkweb).

8. You can now either start both services from the Service Manager or from theSplunk command line interface.

59

Install Splunk Enterprise on Unix, Linux orMac OS X

Install on Linux

You can install Splunk on Linux using RPM or DEB packages, or a tar file.

Note: If you want to install the Splunk universal forwarder, see the ForwardingData manual: "Universal forwarder deployment overview". Unlike Splunk heavyand light forwarders, which are full Splunk instances with some featureschanged or disabled, the universal forwarder is an entirely separate executable,with its own set of installation procedures. For an introduction to forwarders, see"About forwarding and receiving".

Upgrading?


RedHat RPM install

To install the Splunk RPM in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

To upgrade an existing Splunk installation that resides in /opt/splunk using theRPM:

rpm -U splunk_package_name.rpm

To upgrade an existing Splunk installation that was done in a different directory,use the --prefix flag:

60

rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm willinstall in the default location of /opt/splunk.

For example, to upgrade to the existing directory of$SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to yourkickstart file:

./splunk start --accept-license

./splunk enable boot-start

Note: The second line is optional for the kickstart file.

Debian DEB install

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location,/opt/splunk.

Tar file install

To install Splunk on a Linux system, expand the tarball into an appropriatedirectory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To installinto /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

61

Note: When you install Splunk with a tarball:

Some non-GNU versions of tar might not have the -C argument available.In this case, if you want to install in /opt/splunk, either cd to /opt or placethe tarball in /opt before running the tar command. This method will workfor any accessible directory on your machine's filesystem.

•

Splunk does not create the splunk user automatically. If you want Splunkto run as a specific user, you must create the user manually beforeinstalling.

•

Ensure that the disk partition has enough space to hold the uncompressedvolume of the data you plan to keep indexed.

•

What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-rootuser, make sure that Splunk has the appropriate permissions to read the inputsthat you specify. Refer to the instructions for running Splunk as a non-root userfor more information.

To start Splunk from the command line interface, run the following commandfrom $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory intowhich you installed Splunk):

./splunk start

By convention, this document uses:

$SPLUNK_HOME to identify the path to your Splunk installation.• $SPLUNK_HOME/bin/ to indicate the location of the command line interface.•

62

Startup options

The first time you start Splunk after a new installation, you must accept thelicense agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

hostname is the host machine.• port is the port you specified during the installation (the default port is8000).

•

2. Splunk Web prompts you for login information (default, username admin andpassword changeme) before it launches. If you switch to Splunk Free, you willbypass this logon page in future sessions.

What's next?


Uninstall Splunk Enterprise

To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" inthis manual.

Install on Solaris

You can install Splunk on Solaris with a PKG packages, or a tar file.

Upgrading?


63

Install Splunk

Splunk for Solaris is available as a PKG file or a tar file.

PKG file install

The PKG installation package includes a request file that prompts you to answera few questions before Splunk installs.

pkgadd -d ./splunk_product_name.pkg

A list of the available packages is displayed.

Select the packages you wish to process (the default is "all").•

The installer then prompts you to specify a base installation directory.

To install into the default directory, /opt/splunk, leave this blank.•

PKG file upgrade

To upgrade an existing Splunk installation using a PKG file, you should use theinstance parameter, either in the system's default package installationconfiguration file (/var/sadm/install/admin/default) or in a customconfiguration file that you define and call.

In the default or custom configuration file, set instance=overwrite. This willprevent the upgrade from creating a second splunk package (withinstance=unique), or failing (with instance=quit). For information about theinstance parameter, see the Solaris man page (man -s4 admin).

To upgrade Splunk using the system's default package installation file, use thesame command line as you would for a fresh install.

pkgadd -d ./splunk_product_name.pkg

You will be prompted to overwrite any changed files, answer yes to every one.

To upgrade using a custom configuration file, type:

pkgadd -a conf_file -d ./splunk_product_name.pkg

64

To run the upgrade silently (and not have to answer yes for every file overwrite),type:

pkgadd -n -d ./splunk_product_name.pkg

tar file install

To install Splunk on a Solaris system, expand the tarball into an appropriatedirectory using the tar command:

tar xvzf splunk_package_name.tar.Z


tar xvzf splunk_package_name.tar.Z -C /opt

Note: When you install Splunk with a tar file:

Some non-GNU versions of tar might not have the -C argument available.In this case, if you want to install in /opt/splunk, either cd to /opt or placethe tarball in /opt before running the tar command. This method will workfor any accessible directory on your machine's filesystem.

•

If the gzip binary is not present on your system, you can use theuncompress command instead.

•


•


•

What gets installed

Splunk package info:

pkginfo -l splunk

List all packages:

65

pkginfo

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-rootuser, make sure that Splunk has the appropriate permissions to read the inputsthat you specify. For more information, refer to the instructions on running Splunkas a non-root user.


./splunk start

By convention, Splunk's documentation uses:


Startup options






1. In a browser window, access Splunk Web at http://mysplunkhost:port, where:

mysplunkhost is the host machine.• port is the port you specified during the installation (8000).•

2. Splunk Web prompts you for login information (default, username admin andpassword changeme) before it launches. If you switch to Splunk Free, you will

66

bypass this logon page in future sessions.

What's next?




Install on Mac OS

You can install Splunk on Mac OS X using a DMG package, or a tar file.

Upgrading?


Installation options

The Mac OS build comes in two forms: a DMG package and a tar file. Below areinstructions for the:

Graphical (basic) and command line installs using the DMG file.• tar file install.•

Note: if you require two installations in different locations on the same host, usethe tar file. The pkg installer cannot install a second instance. If one exists, it willremove it upon successful install of the second.

Graphical install

1. Double-click on the DMG file.

A Finder window containing splunk.pkg opens.

2. In the Finder window, double-click on splunk.pkg.

67

The Splunk installer opens and displays the Introduction, which lists version andcopyright information.

3. Click Continue.

The Select a Destination window opens.

4. Choose a location to install Splunk.

To install in the default directory, /Applications/splunk, click on theharddrive icon.

•

To select a different location, click Choose Folder...•

5. Click Continue.

The pre-installation summary displays. If you need to make changes,

Click Change Install Location to choose a new folder, or• Click Back to go back a step.•

6. Click Install.

Your installation will begin. It might take a few minutes.

7. When your install completes, click Finish. The installer places a shortcut onthe Desktop.

Command line install

1. To mount the dmg:

hdid splunk_package_name.dmg

2. To Install

To the root volume:•

installer -pkg splunk.pkg -target /

To a different disk of partition:•

68

installer -pkg splunk.pkg -target /Volumes\ Disk

-target specifies a target volume, such as another disk, where Splunk will beinstalled in /Applications/splunk.

To install into a directory other than /Applications/splunk on any volume, usethe graphical installer as described above.

tar file install

To install Splunk on a Mac OS, expand the tarball into an appropriate directoryusing the tar command:


The default install directory is splunk in the current working directory. To installinto /Applications/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /Applications

Note: When you install Splunk with a tarball:


•


•

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-rootuser, make sure that Splunk has the appropriate permissions to read the inputsthat you specify.

Start Splunk from the Finder

To start Splunk from the Finder, double-click the Splunk icon on the Desktop tolaunch the Splunk helper application, entitled "Splunk's Little Helper".

Note: The first time you run the helper application, it notifies you that it needs toperform a brief initialization. Click OK to allow Splunk to initialize and set up the

69

trial license.

Once the helper application loads, it displays a dialog that offers several choices:

Start and Show Splunk: This option starts Splunk and directs your webbrowser to open a page to Splunk Web.

•

Only Start Splunk: This choice starts Splunk, but does not open SplunkWeb in a browser.

•

Cancel: Tells the helper application to quit. This does not affect theSplunk instance itself, only the helper application.

•

Once you make your choice, the Splunk helper application performs therequested application and terminates. You can run the helper application again toeither show Splunk Web or stop Splunk.

The Splunk helper application can also be used to stop Splunk if it is alreadyrunning.

Start Splunk from the command line


./splunk start



Startup options




70



1. In a browser window, access Splunk Web at http://<hostname>:port


•


What's next?




Install on FreeBSD

The FreeBSD builds comes in two forms: an installer (5.4-intel) and a tar file(i386). Both are gzipped tar (.tgz) files.

Upgrading?


Prerequisites

For FreeBSD 8 , Splunk requires compatibility packages. To install thecompatibility package:

1. Install the port:

portsnap fetch update

71

cd /usr/ports/misc/compat7x/ && make install clean

2. Add the package:

pkg_add -r compat7x-amd64

Basic install

To install FreeBSD using the intel installer:

pkg_add splunk_package_name-6.1-intel.tgz

Important: This installs Splunk in the default directory, /opt/splunk. If /opt doesnot exist, you will need to create it prior to running the install command. If youdon't, you might receive an error message. Splunk recommends that you createa symbolic link to another filesystem and install Splunk there, since bestpractices for FreeBSD maintain a small root ("/") filesystem.

To install Splunk in a different directory:

pkg_add -v -p /usr/splunk splunk_package_name-6.1-intel.tgz

The FreeBSD package system does not have native upgrade support. There aresome add-on utilities which try to manage it, but this is not explicitly tested. Toupgrade a package on FreeBSD you can either uninstall the prior package, andinstall the new package, or you can upgrade the existing installation using a tarfile install as below.

tar file install

To install Splunk on a FreeBSD system, expand the tar file into an appropriatedirectory using the tar command:



tar xvzf splunk_package_name.tgz -C /opt

Note: When you install Splunk with a tar file:

72

Some non-GNU versions of tar might not have the -C argument available.In this case, if you want to install in /opt/splunk, either cd to /opt or placethe tar file in /opt before running the tar command. This method will workfor any accessible directory on your machine's filesystem.

•


•


•

After you install

To ensure that Splunk functions properly on FreeBSD, you must:

1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GBkern.dfldsiz="2147483648" # 2GBmachdep.hlt_cpus=0

2. Add the following to /etc/sysctl.conf:

vm.max_proc_mmap=2147483647

A restart of the OS is required for the changes to effect.

If your server has less than 2 GB of memory, reduce the values accordingly.

What gets installed

To see the list of Splunk packages:

pkg_info -L splunk

To list all packages:

pkg_info

73

Start Splunk



./splunk start



Startup options








•


74

What's next?




Install on AIX

You can install Splunk on AIX using a tar file.

Important: The user Splunk is installed as must have permission to read/dev/urando and /dev/random or the installation will fail.

Upgrading?


Install Splunk

The AIX install comes in tar file form.

When you install with the tar file:

Splunk does not create the splunk user automatically. If you want Splunkto run as a specific user, you must create the user manually.

•

Be sure the disk partition has enough space to hold the uncompressedvolume of the data you plan to keep indexed.

•

We recommend you use GNU tar to unpack the tar files, as AIX tar can failto unpack long file names, fail to overwrite files, and other problems. If youmust use the system tar, be sure to check the output for error messages.

•

To install Splunk on an AIX system, expand the tar file into an appropriatedirectory. The default install directory is /opt/splunk.

For AIX 5.3, check to make sure your service packs are up to date. Splunkrequires the following service level:

75

$ oslevel -r5300-005

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-rootuser, make sure that Splunk has the appropriate permissions to read the inputsthat you specify. Refer to the instructions for running Splunk as a non-root userfor more information.


./splunk start



Note: The AIX version of Splunk does not register itself to auto-start on reboot.

Startup options




For more information, refer to "Splunk startup options" in this manual.




hostname is the host machine.•

76

port is the port you specified during the installation (the default port is8000).

•


What's next?




Install on HP-UX

You can install Splunk on HP/UX using a tar file.

To install Splunk on an HP-UX system, expand the tar file, using GNU tar, into anappropriate directory. The default install directory is /opt/splunk.

NOTE: The system default tar on HP-UX will not successfully extract the splunktar. GNU tar is a pre-requisite, or you can unpack the tar on another platform.

When you install with the tar file:

Splunk does not create the splunk user automatically. If you want Splunkto run as a specific user, you must create the user manually.

•

Be sure the disk partition has enough space to hold the uncompressedvolume of the data you plan to keep indexed.

•

Upgrading?


77

Start Splunk



./splunk start



Note: The HP-UX version of Splunk does not register itself to auto-start onreboot.

Startup options








•

2. Splunk Web prompts you for login information (default, username admin andpassword changeme) before it launches. If you switch to Splunk Free, you will

78

bypass this logon page in future sessions.

What's next?




Run Splunk as a different or non-root user

Important: This topic is for non-Windows operating systems only. To learn howto install Splunk on Windows using a user, read "Choose the user Splunk shouldrun as" in this manual.

You can run Splunk as any user on the local system. If you run Splunk as anon-root user, make sure Splunk has the appropriate permissions to:

Read the files and directories it is configured to watch. Some log files anddirectories may require root or superuser access to be indexed.

•

Write to Splunk's directory and execute any scripts configured to work withyour alerts or scripted input.

•

Bind to the network ports it is listening on (ports below 1024 are reservedports that only root can bind to).

•

Note: Because ports below 1024 are reserved for root access only, Splunk willonly be able to listen on port 514 (the default listening port for syslog) if it isrunning as root. You can, however install another utility (such as syslog-ng) towrite your syslog data to a file and have Splunk monitor that file instead.

Instructions

To run Splunk as a non-root user, you need to first install Splunk as root. Then,before you start Splunk for the first time, change the ownership of the splunkdirectory to the desired user. The following are instructions to install Splunk andrun it as a non-root user, splunk.

Note: In the following examples, $SPLUNK_HOME represents the path to the Splunkinstallation directory.

79

1. Create the user and group, splunk.

For Linux, Solaris, and FreeBSD:

useradd splunkgroupadd splunk

For Mac OS:

You can use the System Preferences > Accounts panel to add users andgroups.

2. As root and using one of the packages (not a tar file), run the installation.

Important: Do not start Splunk yet.

3. Use the chown command to change the ownership of the splunk directory andeverything under it to the desired user.

chown -R splunk $SPLUNK_HOME

Note: You might also need to change the group ownership for files in the Splunkdirectory. If your system's chown binary does not support changing groupownership of files, you can use the chgrp command to do so. Refer to yoursystem's man pages for additional information.

4. Start Splunk.

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk as the splunk user while you are logged in as adifferent user, you can use the sudo command:

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

This example command assumes:

If Splunk is installed in an alternate location, update the path in thecommand accordingly.

•

Your system may not have sudo installed. If this is the case, you can use•

80

su.If you are installing using a tar file and want Splunk to run as a particularuser (such as splunk), you must create that user manually.

•

The splunk user will need access to /dev/urandom to generate the certsfor the product.

•

Solaris 10 privileges

When installing on Solaris 10 as the splunk user, you must set additionalprivileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk

81

Start using Splunk Enterprise

Start Splunk for the first time

Important:

Before you begin using your new Splunk upgrade or installation, you shouldtake a few moments to make sure that Splunk and your data are secure. Formore information, read "Hardening Standards" in the Securing Splunk Manual.To start Splunk:

On Windows

You can start Splunk on Windows using either the command line, or theWindows Services Manager. Using the command line offers more options,described later in this section. In a cmd window, go to C:\ProgramFiles\Splunk\bin and type:

splunk start

(For Windows users: in subsequent examples and information, replace$SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in thedefault location. You can also add %SPLUNK_HOME% as a system-wide environmentvariable by using the System Properties dialog's Advanced tab.)

On UNIX

Use the Splunk command-line interface (CLI):

$SPLUNK_HOME/bin/splunk start

Splunk then displays the license agreement and prompts you to accept beforethe startup sequence continues.

Other start options

To accept the license automatically when you start Splunk for the first time, addthe accept-license option to the start command:

82


The startup sequence displays:

Checking prerequisites...Checking http port [8000]: openChecking mgmt port [8089]: openVerifying configuration. This may take a while...Finished verifying configuration.Checking index directory...Verifying databases...Verified databases: _audit, _blocksignature, _internal, _thefishbucket,history, main, sampledata, splunklogger, summaryChecking index filesAll index checks passed.All preliminary checks passed.Starting splunkd...Starting splunkweb...Splunk Server started.The Splunk web interface is at http://<hostname>:8000

Note: If the default ports are already in use (or are otherwise not available),Splunk will offer to use the next available port. You can either accept this optionor specify a port for Splunk to use.

There are two other start options: no-prompt and answer-yes:

If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk proceedswith startup until it requires you to answer a question. Then, it displays thequestion, why it is quitting, and quits.

•

If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk proceedswith startup and automatically answers "yes" to all yes/no questions.Splunk displays the question and answer as it continues.

•

If you run start with all three options in one line, for example:

$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license

Splunk does not ask you to accept the license.• Splunk answers yes to any yes/no question.• Splunk quits when it encounters a non-yes/no question.•

83

Start and disable individual processes

You can start and stop individual Splunk processes by adding the process as anobject to the start command. The objects include:

splunkd, the Splunk server daemon.• splunkweb, Splunk's Web interface process.•

For example, to start only splunkd:

$SPLUNK_HOME/bin/splunk start splunkd

To disable splunkweb:

$SPLUNK_HOME/bin/splunk disable webserver

For more information about start, refer to the CLI help page:

$SPLUNK_HOME/bin/splunk help start

Launch Splunk Web

Navigate to:

http://mysplunkhost:8000

Use whatever host and port you chose during installation.

The first time you log in to Splunk Enterprise, the default login details are:Username - adminPassword - changeme

Splunk Free does not have access controls.

What happens next?

Now that you've got Splunk installed on one server, here are some links to getyou started:

84

Learn what Splunk is, what it does, and how it's different.• Learn how to add your data to Splunk.• Add and manage users.• Estimate how much space you will need to store your Splunk data.• Plan your Splunk deployment, from gigabytes to terabytes per day.• Learn how to search, monitor, report, and more• One of Splunk's biggest differences from traditional technologies is that itclassifies and interprets data at search-time. Learn what this meansand how to use it.

•

If you downloaded Splunk packaged with an app (for example, Splunk +WebSphere), go to Splunk Web and select the app in Launcher to go directly tothe app?s setup page. To see more information about the setup and deploymentfor a packaged app, search for the app name on Splunkbase.

Learn about Splunk's accessibility

Splunk is dedicated to maintaining and enhancing its accessibility and usabilityfor users of assistive technology (AT), both in accordance with Section 508 of theUnited States Rehabilitation Act of 1973, and in terms of best usability practices.This topic discusses how Splunk addresses accessibility within the product forusers of AT.

Accessibility of Splunk Web and the CLI

The Splunk command line interface (CLI) is fully accessible, and includes asuperset of the functions available in Splunk Web. The CLI is designed forusability for all users, regardless of accessibility needs, and Splunk thereforerecommends the CLI for users of AT (specifically users with low or no vision, ormobility restrictions).

Splunk also understands that use of a GUI is occasionally preferred, even fornon-sighted users. As a result, Splunk Web is designed with the followingaccessibility features:

Form fields and dialog boxes have on-screen indication of focus, assupported by the Web browser.

•

No additional on-screen focus is implemented for links, buttons or otherelements that do not have browser-implemented visual focus.

•

Form fields are consistently and appropriately labeled, and ALT textdescribes functional elements and images.

•

85

Splunk does not override user-defined style sheets.• Data visualizations in Splunk Web have underlying data available viamouse-over or output as a data table, such that information conveyed withcolor is available without color.

•

Most data tables implemented with HTML use headers and markup toidentify data as needed.

•

Data tables presented using Flash visually display headers. Underlyingdata output in comma separated value (CSV) format have appropriateheaders to identify data.

•

Accessibility and real-time search

Splunk Web does not include any blinking or flashing components. However,using real-time search causes the page to update. Real-time search is easilydisabled, either at the deployment or user/role level. For greatest ease andusability, Splunk recommends the use of the CLI with real-time functionalitydisabled for users of AT (specifically screen readers). Refer to "How to restrictusage of real-time search" in the Search Manual for details on disabling real-timesearch.

Keyboard navigation using Firefox and Mac OS X

To enable Tab key navigation in Firefox on Mac OS X, use system preferencesinstead of browser preferences. To enable keyboard navigation:

1. In the menu bar, click [Apple icon]>System Preferences>Keyboard to openthe Keyboard preferences dialog.

2. In the Keyboard preferences dialog, click the Keyboard Shortcuts button atthe top.

3. Near the bottom of the dialog, where it says Full Keyboard Access, click theAll controls radio button.

4. Close the Keyboard preferences dialog.

5. If Firefox is already running, exit and restart the browser.

86

Install a Splunk Enterprise license

About Splunk licenses

Splunk takes in data from sources you designate and processes it so that youcan analyze it in Splunk. We call this process indexing. For information aboutthe indexing process, refer to "What Splunk does with your data" in the GettingData In Manual.

Splunk licenses specify how much data you can index per day.

For more information about Splunk licenses, begin by reading:

"How Splunk licensing works" in the Admin Manual.• "Types of Splunk licenses" in the Admin Manual.• "More about Splunk Free" in the Admin Manual.•

Install a license

This topic discusses installing new licenses. Before you proceed, you may wantto review these topics:

Read "How Splunk licensing works" in the Admin Manual for anintroduction to Splunk licensing.

•

Read "Groups, stacks, pools, and other terminology" in the Admin Manualfor more information about Splunk license terms.

•

Add a new license

To add a new license:

1. Navigate to Settings > Licensing.

2. Click Add license.

87

3. Either click Choose file and navigate to your license file and select it, or clickcopy & paste the license XML directly... and paste the text of your license fileinto the provided field.

4. Click Install. If this is the first Enterprise license that you are installing, youmust restart Splunk. Your license is installed.

License violations

Violations occur when you exceed the maximum indexing volume allowed foryour license. If you exceed your licensed daily volume on any one calendar day,you will get a violation warning. The message persists for 14 days. If you have 5or more warnings on an Enterprise license or 3 warnings on a Free licensein a rolling 30-day period, you are in violation of your license and searchwill be disabled. Search capabilities return when you have fewer than 5(Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply atemporary reset license (available for Enterprise only). To obtain a reset license,contact your sales rep.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on thelicense master) to resolve it before it counts against the total number of warningswithin the rolling 30-day period.

During a license violation period:

88

Splunk does not stop indexing your data. Splunk only blocks search whileyou exceed your license.

•

Searches to the _internal index are not disabled. This means that youcan still access the Indexing Status dashboard or run searches against_internal to diagnose the licensing problem.

•

Got license violations? Read "About license violations" in the Admin Manual or"Troubleshooting indexed data volume" from the Splunk Community Wiki.

More licensing information is available in the "Manage Splunk licenses" chapterin the Admin Manual.

89

Upgrade or migrate Splunk Enterprise

How to upgrade Splunk

This topic discusses how to upgrade Splunk and its components from oneversion to another.

In many cases, you upgrade Splunk by installing the latest package over yourexisting installation. On Windows systems, the installer package detects whenyou have a version installed and offers to upgrade it for you.

Note: When upgrading Splunk, be sure to upgrade it using an administrativelevel account.

What's new and awesome in 6.0?

Read "Meet Splunk 6.0" in the Release Notes for a full list of the new featureswe've delivered in 6.0.

Review the known issues in the Release Notes for a list of issues andworkarounds in this release.

Always back up your existing deployment first

Get into the habit of backing up your existing deployment before any upgrade ormigration.

You can manage your risk by using technology that allows you to restore yourSplunk install and data to a state prior to the upgrade, whether you use externalbackups, disk or file system snapshots, or other means. When backing up yourSplunk data, consider the $SPLUNK_HOME directory, as well as any indexesoutside of it.

For more information about backing up your Splunk deployment, read the topics"Back up configuration information" in the Admin Manual and "Back up indexeddata" in the Managing Indexers and Clusters Manual.

90

Then, read about important migration information beforeupgrading

Important: Before upgrading, be sure to read "About upgrading to 6.0: READTHIS FIRST" for specific migration tips and information that might affect you.

Upgrade from 5.0 and later

Splunk supports a direct upgrade from versions 5.0 and later to version 6.0.

If you're upgrading from 5.0 or later, read the rest of this topic first beforeproceeding with the installation instructions linked below.

Upgrade to 6.0 on Linux, Solaris, FreeBSD, HP-UX, AIX, and MacOS• Upgrade to 6.0 on Windows•

Upgrade from 4.3

Splunk also supports a direct upgrade from version 4.3 and later to version 6.0.

Upgrading directly to 6.0 from versions older than 4.3 is not officially supported. Ifyou are running a version of Splunk earlier than 4.3, then you should upgrade to4.3 first before attempting an upgrade to 6.0. Read "About upgrading to 4.3READ THIS FIRST" for specific details on how to upgrade to version 4.3.

Upgrade distributed deployments

If you're planning to upgrade your distributed Splunk environment, be sure toread "Upgrade your distributed environment" in the Distributed DeploymentManual for guidance on how to do so with minimal impact.

Upgrade clustered environments

Important: All nodes of a clustered Splunk environment must run the sameversion of Splunk. If you plan to upgrade your clustered environment, you mustupgrade all nodes (including search heads, master nodes, and peer nodes) in thecluster at the same time. Read "Upgrade your clustered deployment" in theManaging Indexers and Clusters Manual for specific details.

91

Upgrade universal forwarders

Upgrading universal forwarders is a different process than upgrading full Splunk.Before upgrading your universal forwarders, be sure to read the appropriateupgrade topic for your operating system:

Upgrade the Windows universal forwarder• Upgrade the Unix universal forwarder•

To learn about interoperability and compatibility between indexers and universalforwarders, read "Indexer and universal forwarder compatibility" in the"Deployment Overview" topic of the Forwarding Data manual.

About Upgrading to 6.0 - READ THIS FIRST

This topic contains some important information and tips that you should readbefore upgrading to version 6.0 from an earlier version.

Important: Not all Splunk apps and add-ons are compatible with SplunkEnterprise 6.0. If you are considering an upgrade to this release, please checkSplunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.0.

Splunk Enterprise supports the following upgrade paths to Version 6.0 of thesoftware:

From version 5.0 or later to 6.0.• From version 4.3 or later directly to 6.0.• From version 4.3 or later to 5.0, and then from version 5.0 or later to 6.0.•

Upgrading to 6.0 from 4.3 and later is pretty simple, but here are a few things youshould be aware of when installing the new version:

You want to know this stuff

We have changed the Splunk Enterprise user interface...significantly

One of the biggest and most important things that you will notice after youupgrade to version 6.0 is the new user interface. We have transformed how youaccess Splunk through Splunk Web. To that end, the way you do things inSplunk Web on version 6 has changed from how you would do things in previousversions of the product.

92

For a list of some of the things that have changed in Splunk Web, read"How Splunk Web procedures have changed from version 5 to version 6"in this manual.

•

For an introduction on how to access Splunk Web using the new interface,check out the updated Splunk Search Tutorial.

•

We have changed a number of the Splunk terms that you've come to know

Along with a changed user interface, we've also changed a number of the termsyou've been used to when using Splunk. Here's a list of some of them:

Manager, Splunk's main configuration interface, is now known asSettings.

•

Launcher, the initial menu you see when you run Splunk, is now known asHome.

•

Saved searches are now known as reports.• A saved search with an alert is now known as an alert.• "TSIDX stats" are now known as indexed field statistics.•

We have changed some application development parameters andprocedures

If you develop any type of Splunk app, be sure to read "Changes for Splunk appdevelopers" to find out how to build or migrate your existing apps to workproperly with version 6.

Other notable changes

Upgrade all nodes in a clustered environment at the same time

All nodes of a clustered Splunk environment must run the same version ofSplunk. If you plan to upgrade your clustered environment, you must upgrade allnodes (including search heads, master nodes, and peer nodes) in the cluster atthe same time. Read "Upgrade your clustered deployment" in the ManagingIndexers and Clusters Manual for specific details.

We have increased the default amount of required available disk space forindexing and searching

Prior to version 6.0, the default amount of free space Splunk needed to index andsearch was 2 gigabytes. When you upgrade, Splunk raises this defaultrequirement to 5 gigabytes. Before you upgrade, make sure you have enoughfree space on the volume(s) that contain Splunk indexes and search dispatch

93

directories to ensure uninterrupted index and search operation.

Splunk no longer uses CHECK_FOR_HEADER for field extraction fromstructured data files

The deprecated CHECK_FOR_HEADER attribute in props.conf will no longer functionfor any new sourcetypes defined for structured data extraction. This means that,when you upgrade, attempts to use CHECK_FOR_HEADER will result in Splunklogging an error and disabling the associated definition.

This change does not impact structured data definitions created prior to theupgrade - those definitions will continue to work with the CHECK_FOR_HEADERattribute.

For information on Splunk's new structured data field extraction capabilities, read"Extract data from files with headers" in the Getting Data In Manual.

We have reduced the maximum real-time search multiplier attribute inlimits.conf

We have reduced how many real-time searches a Splunk system can run bydefault.

In Splunk version 5.x, you used to be able to run a number of searches equal tothe following formula, based on attributes from limits.conf:

Number of CPU cores * max_searches_per_cpu + base_max_searches *max_rt_search_multiplier

The max_rt_search_multiplier attribute's default value was 3. When youupgrade, Splunk reduces the default value to 1. This means that your real-timesearch capacity will be effectively reduced by 66% unless you reset this attributeby editing a copy of limits.conf after the upgrade.

We have extended the _internal index's retention period

In an effort to provide better statistics on license usage, we have extended theretention period of the _internal index from 28 days to 30 days. When youupgrade, you might notice that Splunk uses up to an additional 7 percent ofavailable disk space on the server which hosts that index.

94

The "Results Display Option" dialog for search queries does not retainchanges through an upgrade

If you make changes to the results display options for a given search query inversion 5.x, Splunk does not retain those choices through an upgrade. You mustmake those changes again after the upgrade is complete.

Some upgraded dashboards display visible axis titles where they did notbefore

When you upgrade, some dashboards will display visible axis titles which did notexist prior to the upgrade. To address the issue, use the visualizations editor toremove the titles.

View states do not persist during the upgrade

If you make a change to a view state (such as adjusting the number of items toshow per page in the flash timeline) and then upgrade Splunk, Splunk does notpreserve the view state through the upgrade, and the default view loads whenyou use the upgraded version.

This is because Splunk assigns each view state a module ID, which changeswhen you modify the view state's XML (by modifying the view).

We have changed how you set the default search time range

Prior to version 6, you could set the default search time range by selecting thedesired entry in the flash timeline. Once you upgrade, you must use aconfiguration file, ui-prefs.conf, to set these default time ranges. Selecting thetime range in the time range picker in a view will no longer have any affect.

To learn how to use this file to set time ranges, read "Change the defaultselected time range" in the Search Manual.

The configuration location for globally unique identifiers (GUIDs) haschanged

We have changed the location for the configuration of GUIDs for Splunkinstances. In Splunk 6.0, instead of setting the GUID in server.conf, you mustnow set it in instance.cfg.

95

In props.conf, the initCrcLength attribute is now valid for sourcetypestanzas

Prior to Splunk 6.0, you could only use the initCrcLength attribute in a[source::<source>] stanza type. Now, you can use this attribute in any[<sourcetype>] stanzas as well.

Notable changes for those upgrading directly from version 4.3to version 6

We have changed how Splunk handles invalid regular expressions inmonitoring stanza filters

For versions 5.0.3 and later of Splunk, including version 6.0, we've changed howSplunk deals with improperly formatted regular expressions in monitoring stanzafilter attributes in inputs.conf.

If you supply an invalid regular expression for a filter attribute (for example,whitelist or blacklist) in a monitoring stanza, Splunk now ignores the entirestanza as being invalid, instead of ignoring only the filter attribute with the invalidregular expression. This means that Splunk will not monitor whatever data thatstanza references until you fix the error and restart Splunk. Here's an example:

[monitor:///a/directory]whitelist = unclosed[class

This stanza is invalid because the whitelist attribute has an invalid valueassigned to it (the "unclosed[class" regular expression is missing the rightbracket (])).

In version 5.0.2 and earlier, including version 4.3, Splunk monitors the files in/a/directory while ignoring the whitelist attribute.

TailingProcessor - Ignoring regular expression 'your_regex' in stanza'your_stanza' due to 'error_message'.

In version 5.0.3 and later, Splunk ignores the [monitor:///a/directory] stanza,logs an error in splunkd.log, and does not monitor the files in /a/directory:

TailingProcessor - Invalid regular expression: 'your_regex' in stanza'your_stanza' due to: error_message, ignoring this stanza.

When you upgrade, Splunk warns you of any invalid regular expressions itdetects, and prompts you to fix them before attempting to complete the migration.To prevent this warning from occurring, check inputs.conf to ensure that all yourmonitoring stanzas have valid values before starting the upgrade.

96

Note: This change was originally introduced in Splunk 5.0.2, but we include ithere for users who plan to upgrade directly from version 4.3 to version 6.0.

We have deprecated the fschange monitor

We have deprecated the fschange monitor input. This means that although itcontinues to function in version 6.0 of Splunk, it might be removed in a futureversion. As an alternative, you can:

Learn how to monitor file system changes on Windows systems.• Use the auditd daemon on *nix systems and monitor output from thedaemon.

•

Note: This change was originally introduced in Splunk 5.0, but we include it herefor users who plan to upgrade directly from version 4.3 to version 6.0.

Forwarding method now defaults to auto-loadbalancing

Splunk 6.0 now makes auto-load balancing the default method of forwarding datato multiple indexers at one time.


Splunk now offers integrated PDF printing

With version 6.0 of Splunk comes integrated PDF printing. This means that PDFprinting no longer requires a Linux Splunk instance.

There are some things to pay attention to when upgrading, however - particularlywith regards to views that contain Advanced XML. Additional information can befound in "Generate PDFs of your reports and dashboards" in the new ReportingManual.

Note: This feature was originally introduced in Splunk 5.0, but we include it herefor users who plan to upgrade directly from version 4.3 to version 6.0.

Splunk uses more *nix file descriptors

Splunk 6.0 uses more file descriptors on *nix filesystems than version 4.3 didwhen monitoring files.

97

Before you upgrade, consider increasing the number of open file descriptors yoursystem can use with the ulimit command.


Splunk's database-checking utility might use more resources

After you upgrade to 6.0, Splunk's database consistency checking utility (fsck)might use more system resources (in particular, disk I/O) when they run,particularly if bloom filters are being created at the same time.


Windows-specific changes

Upgrading a Windows universal forwarder can result in the collection ofunwanted data under certain conditions

Under certain conditions, upgrading a Splunk universal forwarder from Versions4.3 or 5 to Version 6 can result in the unexpected collection of Windows data,which can impact your licensing volume. Be sure to read "Workaround forWindows universal forwarder enabling inputs unexpectedly on installation orupgrade" in the Release Notes for a fix to this specific issue.

The Windows Event Log input is now modular and has additional filteringcapabilities

The Windows event log input gets two new improvements:

The input, which until now had its own input processor, is now modular.This helps increase its efficiency and removes the limit of 64 concurrentEvent Log channels. Since the Windows Event Log input already usesinputs.conf, there should be no impact to your configuration by thischange. However, we suggest that you review any .conf files post-upgradeas a precautionary measure.

•

Additionally, the input receives several new attributes which allow you tofilter events based on their Windows Event IDs and suppress event logtext.

•

98

There are also certain situations where, if you use a deployment server to controlconfigurations, some versions of universal forwarder might collect duplicateevents. See "Upgrade deployment servers and installed apps that use 6.0stanzas might generate duplicate events" below for additional information.

Upgraded deployment servers and installed apps that use 6.0 stanzasmight generate duplicate events

In order to maintain interoperability, Splunk does not remove an old-styleWindows Event Log stanza during an upgrade to version 6. Instead, it notifiesyou that you need to remove them yourself manually.

This is particularly important for deployment servers or universal forwarders thathost apps that use 6.0 style configuration file stanzas. When you upgrade, if youdo not remove the old-style stanzas, Splunk might generate duplicate events.

Splunk on Windows introduces three new inputs: Host, printer, andnetwork monitoring

New for version 6.0, Splunk introduces three new Windows-only modular inputs:Host monitoring, print monitoring, and network monitoring.

Host monitoring allows you to collect information about a Windows system,including operating system build and version, system architecture and memory,running processes and services, and installed applications.

Print monitoring lets you gather information on your printer subsystem, includinginstalled printers, print drivers and ports, and also allows you to check print jobs.

Network monitoring lets you collect information on the configuration and status ofthe networking subsystem on Windows computers.

For additional information on these three new inputs, read the following topics inthe Getting Data In Manual:

Monitor Windows host information• Monitor Windows print subsystem information• Monitor Windows network information•

Windows users now have a file monitoring input that does not use filehandles

99

On Windows instances of Splunk only, a new file monitoring input,MonitorNoHandle allows users to monitor files without using system file handles.This addresses problems with cases where a file handle prevents a file frombeing closed properly, such as what occurs with Microsoft's DNS server logswhen the DNS server attempts to roll them.

The MonitorNoHandle input is only accessible by editing inputs.conf. You cannotenable this input with Splunk Web.

The Windows Registry and Active Directory inputs are now modular

In our ongoing efforts to streamline configuration files, we have made theWindows Registry monitor and Active Directory inputs modular. This means that,among other things, instead of using separate configuration files, these inputsnow use inputs.conf for configuration. When you upgrade, settings will getmigrated from the existing configuration files to inputs.conf.

Splunk will migrate the following files during the upgrade:

Registry monitoring: regmon-filters.conf• Active Directory: admon.conf•

What happens after you upgrade:

Registry monitoring stanzas will appear in inputs.conf as[WinRegMon://<stanza name>].

•

Active Directory stanzas will appear in inputs.conf as [admon://<stanzaname>].

•

Be sure to review the updates to inputs.conf after the upgrade is complete.

Active Directory monitoring time formats have changed

The time stamp format that Splunk's Active Directory monitoring input logs in haschanged. In Splunk 6.0 and later, AD monitoring inputs log events as follows:

pwdLastSet=07:03.12 pm, Mon 04/30/2012

If you use Active Directory monitoring inputs, you might be impacted by thischange after you upgrade, particularly if you have configured alerts that rely onthe old time stamp format.

100

No support for enabling Federal Information Processing Standards (FIPS)after an upgrade

There is no supported upgrade path from a Splunk 5.x system with enabledSecure Sockets Layer (SSL) certificates to a Splunk 6.0 system with FIPSenabled.

How Splunk Web procedures have changed fromversion 5 to version 6

This topic lists some of the major differences in the way you accomplish tasks inSplunk Web from previous versions to version 6.

What's changed?

The table below shows the major differences in Splunk Web process fromprevious versions of Splunk to version 6.

Procedure/Task How you used to do it How you do it now

First time login to Splunk

In 5.x, the Splunk launcherhas two tabs: Welcome andSplunk Home. In Welcome,you can Add data andLaunch search app.

In 6.x, Splunklaunches with Home.In Home, you canaccess Apps directly,Add data, or accessthe Manage datapage.

Returning to Home

In 5.x, to return toHome/Welcome youselected the Home app fromthe App menu.

In 6.x, you click theSplunk logo in theupper left of thenavigation bar. Doingso always returns youto Home.

Edit account information

In 5.x you accessed youraccount information (changefull name, email address,default app, timezone,password) under Manager >Users and authentication >Your account.

In 6.x, you access itdirectly from theSplunk navigationunder Administrator >Edit account.

101

Logout from SplunkIn 5.x, you clicked the"Logout" button on thenavigation bar.

In 6.x, you selectAdministrator ->Logout

Manager/Settings

In 5.x, you edited all objectsand system configurationsfrom the Manager page orfrom the "Administrator" linkon the navigation bar.

In 6.x, you accessthese configurationsdirectly from theSettings menu. Thereis no separateManager page.

Manage Apps: Editpermissions for installedapps, create a new app,or browse Splunkbase forcommunity apps

In 5.x, you used Manager ->Apps or selected from theApp menu.

In 6.x, you use theApp menu on thenavigation bar or theoptions under the Apppanel from Home.

Search/? 5.x -> 6.x Summary, Search Search

Searches & Reports Reports

Dashboards & Views Dashboards

Find the list of alerts In the navigation bar, youselected "Alerts".

In the navigation bar,you select "TriggeredAlerts"

Find the timeline

In 5.x, the timeline wasalways visible as part of thedashboard after you ran asearch. You can hide thetimeline.

In 6.x, you can onlyview the timeline ifyou're looking at theEvents tab after yourun a search.

Changes for Splunk App developers

If you develop apps for Splunk, read this topic to find out what changes we'vemade to how Splunk works with apps in version 6.0, and how to migrate anyexisting apps to work with the new version.

We have removed support for FlashCharts in simple XMLdashboards

We no longer support using FlashCharts in simple XML dashboards. This changeprovides a more consistent dashboard user experience for iOS devices andwhen users need to create PDFs. When users upgrade to version 6 of Splunk:

102

Splunk will silently ignore any charting options that previously triggered therendering of FlashCharts.

•

No actionable requirement here, but note that Splunk might render somecharts differently in version 6.0 as a result.

•

We no longer support viewstates in simple XML

We have removed Splunk's capability to support view states in simple XML. Thismeans that, when users upgrade:

Any chart options that were saved in viewstates will no longer be layeredin dashboard rendering.

•

Users will need to manually migrate these chart options to the simple XMLview configuration.

•

In addition, dynamic chart resizing no longer persists beyond the pageview.

•

Users that are interested in persistence should save this in simple XML(<option name=height>300px</option>)

•

We no longer allow Splunk's Search page to be restyled

The new Search page in Splunk 6.0 can no longer be customized, as it does notload any custom JavaScript or CSS.

We have added restrictions to how you can style the AppBar

For consistency between apps, Splunk 6.0 now constrains AppBar customizationto:

colorTo set a color in the AppBar, edit the navigation menu default.xml (forexample, <nav color="#0072C6">).

logoIf no logo file is found, the app name is displayed instead.

We have made changes to support for custom JavaScript andCSS

Version 6 of Splunk gets a refactored rendering engine, and as a result, many ofthe function calls that the application.js and application.css files use nolonger work after users upgrade.

103

For app backward compatibility, in Splunk 6, simple XML dashboards nolonger load application.js and application.css automatically.

•

Instead, simple XML dashboards in Splunk 6 load dashboard.js anddashboard.css automatically.

•

You can control the loading of specific JavaScript and CSS files within theconfiguration of each simple XML dashboard. You control this using thetop-level attributes (<dashboard script=my_script.jsstylesheet=my_stylesheet.css>).

•

This design approach allows you to use application.js andapplication.css for previous versions of Splunk, as well as dashboard.jsand dashboard.css for Splunk 6.0 and later.

•

For security purposes, we now prohibit JavaScript within thedefault.xml file for dashboard navigation menus

We no longer allow JavaScript to run in a dashboard's navigation menu. Thismeans that, when users upgrade:

Any app that has packaged the "Create new dashboard..." link within theirnavigation menu (like the old search app) will find this to no longer work inSplunk 6.0.

•

You should remove this from your default.xml configuration.•

Splunk now has a new "search" view page

Splunk 6.0 introduces a new search page "search" as a replacement to theexisting Flash timeline. While the product still contains Flash timeline, you shouldchange all references to flashtimeline within an app to "search" instead.

This includes references within navigation menu's default.xml.• It also includes references within any dashboard views (mainly forlinkView options).

•

We have made new global pages available to add to your app

Splunk 6.0 provides easier access to reports, alerts, dashboards, and datamodels packaged within your app. We provide this access through via new listingpages for each of these objects (dashboards, reports, alerts, data_models).

To add these views, edit your navigation menu's default.xml.•

104

We have added the ability to run search queries from theHome page for your app

Splunk 6.0 enables end-users to run a search query from within the Home page,and target specific apps. You can allow end-users to directly target your app byconfiguring your app's navigation menu default.xml.

To do this, edit default.xml and add the target view (<navsearch_view="search">).

We have introduced "Data Models"

Splunk 6.0 introduces data models that you can package within your apps. Toadd data models to your apps, package them within$SPLUNK_HOME/etc/apps/<app_name>/default/data/models

We have made changes to how Splunk works with customHTML dashboards

Splunk 6.0 has added knowledge objects to be included in default.meta, andnow supports dashboard views written entirely in HTML (by leveraging the newsplunkjs library).

You can add custom HTML dashboards by packaging them within$SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/html and referencingthem in default.meta with the object name [html].

We have added interval support for modular inputs

Prior to version 6, Splunk invoked any configured modular inputs when theSplunk daemon started. In version 6, splunkd now checks the inputs at specificintervals.

You can choose whether or not you want to refactor your script to use thisinterval support.

We have changed where Splunk looks for the icon files

In versions of Splunk prior to 6.0, Splunk looked in$SPLUNK_HOME/etc/apps/<your_app>/appserver/static. When users upgrade,Splunk then looks in $SPLUNK_HOME/etc/apps/<your_app>/static.

105

We now require higher-resolution application logos and icons

In order to support displays with pixel density ratio of greater than 1:1 (as is thecase for systems like the MacBook Pro with Retina Display), you must now usehigher resolution icons and/or logos alongside the standard size icons and logos.

The file names for these higher-resolution icons and logos must beappLogo_2x.png and appIcon_2x.png.

•

When packaging your application icons and logos, put them in$SPLUNK_HOME/etc/apps/<app_name>/static.

•

Your application logo has the following additional specifications:The background must be transparent.♦ Its width can vary, but:♦ Its height, with margins, must be no more than 40 pixels (80 pixelsfor the high resolution version).

♦

Within this 40-pixel limit, there must be a margin of at least 10pixels on the top and bottom sides (20 pixels for the high resolutionversion) which leaves a maximum of 20 pixels of height availablefor your logo.

♦

There is, however, some leeway to go into the margin area,particularly if the logo has any bits that stick up or down or it'sparticularly complex, square or round.

♦

•

106

Upgrade to 6.0 on UNIX

This topic describes the procedure for upgrading your Splunk instance fromversions 4.3.x or 5.0.x or later to 6.0.

107

Before you upgrade

Make sure you've read this information before proceeding, as well as thefollowing:

Back your files up

Before you perform the upgrade, we strongly recommend that you back up all ofyour files, including Splunk configurations, indexed data, and binaries. Splunkdoes not provide a means of downgrading to previous versions; if you need torevert to an older Splunk release, just reinstall it.

For information on backing up data, read "Back up indexed data" in theManaging Indexers and Clusters Manual.

For information on backing up configurations, read "Back up configurationinformation" in the Admin manual.

How upgrading works

After performing the installation of the new version, Splunk does not actuallymake changes to your configuration until after you restart it. You can run themigration preview utility at that time to see what will be changed before the filesare updated. If you choose to view the changes before proceeding, a filecontaining the changes that the upgrade script proposes to make is written to$SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Steps for upgrading

1. Execute the $SPLUNK_HOME/bin/splunk stop command.

Important: Make sure no other processes will start Splunk automatically (suchas Solaris SMF).

2. To upgrade and migrate from version 4.3.x and later, install the Splunkpackage over your existing Splunk deployment:

If you are using a .tar file, expand it into the same directory with the sameownership as your existing Splunk instance. This overwrites and replacesmatching files but does not remove unique files.

Note: AIX tar will fail to correctly overwrite files when run as a userother than root. Use GNU tar (gtar) to avoid this problem.

•

108

If you are using a package manager, such as RPM, type rpm -Usplunk_package_name.rpm

•

If you are using a .dmg file (on Mac OS X), double-click it and follow theinstructions. Be sure to specify the same installation directory as yourexisting installation.

•

3. Execute the $SPLUNK_HOME/bin/splunk start command.

The following output is displayed:

This appears to be an upgrade of Splunk.--------------------------------------------------------------------------------Splunk has detected an older version of Splunk installed on thismachine. Tofinish upgrading to the new version, Splunk's installer willautomaticallyupdate and alter your current configuration files. Deprecatedconfigurationfiles will be renamed with a .deprecated extension.You can choose to preview the changes that will be made to yourconfigurationfiles before proceeding with the migration and upgrade:If you want to migrate and upgrade without previewing the changes thatwill bemade to your existing configuration files, choose 'y'.If you want to see what changes will be made before you proceed withtheupgrade, choose 'n'.Perform migration and upgrade without previewing configuration changes?[y/n]

4. Choose whether you want to run the migration preview script to see whatchanges will be made to your existing configuration files, or proceed with themigration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migrationand upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

To accept the license and view the expected changes (answer 'n') beforecontinuing the upgrade:

109

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

To accept the license and begin the upgrade without viewing the changes(answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Upgrade to 6.0 on Windows

This topic describes the procedure for upgrading your Windows Splunk instancefrom versions 4.3.x or 5.0.x and later to 6.0. You can upgrade using the GUIinstaller, or by running the msiexec utility on the command line as described in"Install on Windows via the command line".

Before you upgrade

Make sure you've read this information before proceeding, as well as thefollowing:

Make sure you specify the same domain user

When upgrading, you must explicitly specify the same domain user that youspecified during first time install. If you do not specify the same user, Splunk willdefault to using the Local System User. If you accidentally specify the wrong userduring your installation, use these instructions to switch to the correct userbefore starting Splunk.

Don't change the ports

Splunk does not support changing the management port and/or the HTTP portwhen upgrading.

Back your files up

Before you perform the upgrade, we strongly recommend that you back up all ofyour files, including Splunk configurations, indexed data and binaries. Splunkdoes not provide a means of downgrading to previous versions; if you need torevert to an older Splunk release, just reinstall it.

110

For information on backing up data, read "Back up indexed data" in theManaging Indexers and Clusters Manual.

For information on backing up configurations, read "Back up configurationinformation" in the Admin manual.

Note: When you upgrade to Splunk 6.0 on Windows, the installer overwrites anycustom certificate authority (CA) certificates you have created in%SPLUNK_HOME%\etc\auth. If you have custom CA files, make sure to back themup before you upgrade. After the upgrade, you can copy them back into%SPLUNK_HOME%\etc\auth to restore them. After you have restored the certificates,restart Splunk.

Don't attempt to downgrade after you've upgraded

After you upgrade Splunk to version 6, if you need to downgrade, you mustuninstall version 6 of Splunk and then reinstall the previous version of Splunk thatyou were using. Do not attempt to install over a Splunk 6 installation with aninstaller from a previous version. Doing so can result in a corrupt instance anddata loss.

Upgrade using the GUI installer

1. Stop Splunk by either using the Services control panel or executing the%SPLUNK_HOME%\bin\splunk stop command.

2. Download the new MSI file from the Splunk download page.

3. Double-click the MSI file. The Welcome panel is displayed. Follow theon-screen instructions to upgrade Splunk. For information about each panel,refer to the installation instructions.

4. Splunk will start up by default when you complete the installation.

A log of the changes made to your configuration files during the upgrade isplaced in %TEMP%.

Upgrade using the command line

1. Stop Splunk either by using the Services control panel or executing the %SPLUNK_HOME%\bin\splunk stop command.

2. Download the new MSI file from the Splunk download page.

111

3. Use the instructions in "Install on Windows via the command line".

If Splunk is running as a user other than the Local System user, you mustexplicitly specify this user in your command-line instruction.

•

You can use the LAUNCHSPLUNK flag to specify whether Splunk should startup automatically or not when you're finished, but you cannot change anyother settings.

•

DO NOT change the ports (SPLUNKD_PORT and WEB_PORT) at this time.•

4. Depending on your specification, Splunk may start automatically when youcomplete the installation.

A log of the changes made to your configuration files during the upgrade isplaced in %TEMP%.

Start Splunk

On Windows, Splunk is installed by default into %SYSTEMDRIVE%\ProgramFiles\Splunk and is started by default.

You can start and stop the following Splunk processes via the Windows Servicescontrol panel:

Server process: splunkd• Web interface process: splunkweb•

You can also start, stop, and restart both processes at once by going to%SYSTEMDRIVE%\Program Files\Splunk\bin and typing

# splunk [start|stop|restart]

Migrate a Splunk instance

This topic discusses the procedure for migrating a Splunk instance from oneserver, operating system, architecture, or filesystem to another, while maintainingthe indexed data, configurations, and users. This is different than upgrading aninstance, which is merely installing a new version on top of an older one (though,an upgrade is a form of migration).

112

When to migrate

There are a number of reasons to migrate a Splunk install:

Your Splunk installation is on a server that you wish to retire or reuse foranother purpose.

•

Your Splunk installation is on an operating system that either yourorganization or Splunk no longer supports, and you want to move it to anoperating system that is supported.

•

You are switching operating systems (for example, from *nix to Windowsor vice versa)

•

You want to move your Splunk installation to a different file system.• Your Splunk installation is on 32-bit architecture, and you wish to move itto a 64-bit architecture for better performance.

•

Your Splunk installation is on a system architecture that you plan to nolonger support, and you want to move it to an architecture that you dosupport.

•

What to consider when migrating

While migrating a Splunk instance is simple in many cases, there are someimportant considerations to note when doing so. Depending on the type, version,and architecture of the systems involved in the migration, you might need toconsider more than one of these items at a time.

When migrating a Splunk instance, be sure to note:

Endianness

If you indexed data with a version of Splunk earlier than 4.2, the index files thatcomprise that data are sensitive to an operating system's endianness, which isthe way the system organizes the individual bytes of a binary file (or other datastructure).

Some operating systems are big-endian (meaning they store the most significantbyte of a binary file first), and others are little-endian (meaning they store theleast significant byte first). These operating systems create binary files of thesame endianness. Index bucket files are binary, and thus, for versions of Splunkearlier than 4.2, are the same endianness of the operating system that createdthem.

For a listing of processor architectures and the endianness they use, refer to theEndianness article on Wikipedia.

113

When you migrate a pre-4.2 Splunk instance, in order for the destination systemto be able to read the migrated data, you must transfer index files betweensystems with the same kind of endianness (for example, a NetBSD systemrunning on a SPARC processor to a Linux system also running on a SPARCprocessor.)

If you can't move index between systems with the same endianness (forexample, when you want to move from a system that's big-endian to a systemthat's little-endian), then you must use alternative methods to move the data.

You can move the data by forwarding it from the big-endian system to thelittle-endian system. Then, once you have forwarded all the data, you canretire the big-endian system.

•

You can export the data from the big-endian system using Splunk'sexporttool CLI command to comma-separated values (CSV) file, thenimport the CSV data into the little-endian system with the importtool CLIcommand. Read "Export and import index data between systems usingexporttool/importtool" in this topic for additional information. Caution: Thisis an advanced procedure, and can take an extremely long amount oftime, depending on how much data needs to be transferred. If youwant to use this method, we strongly suggest that you consult Splunk'sProfessional Services team for assistance.

•

Index files created by Splunk versions 4.2 and later do not have problems withendianness.

Differences in Windows and Unix path separators

The path separator (the character used to separate individual directory elementsof a path) on *nix and Windows is different. When moving index files betweenthese operating systems, you must make sure that the path separator you use iscorrect for the operating system you want to move the Splunk installation to. Youmust also make sure that you update any Splunk configuration files (in particular,indexes.conf) to use the correct path separator.

Windows permissions

When moving a Splunk instance between Windows servers, make sure that thedestination server has the same rights assigned to it that the source server does.This includes but is not limited to the following:

Ensure that the file system and/or share permissions on the target serverare correct and allow access for the user that runs Splunk.

•

114

If Splunk runs as an account other than the Local System user, that theuser is a member of the local Administrators group and has theappropriate Local Security Policy or Domain Policy rights assigned to it bya Group Policy object

•

Architecture changes

If you downgrade the architecture that your Splunk instance runs on (forexample, 64-bit to 32-bit), you might experience degraded search performanceon the new server due to the larger files that the 64-bit operating system andSplunk instance created.

Distributed and clustered Splunk environments

When you want to migrate data on a distributed Splunk instance (that is, anindexer that is part of a group of servers that a search head has been configuredto search for events, or a search head that's been configured to search indexersfor data), the you should remove the instance from the distributed environmentbefore attempting to migrate it.

Bucket IDs and potential bucket collision

If you migrate a Splunk instance to another Splunk instance that already hasexisting indexes with identical names, you must make sure that the individualbuckets within those indexes have bucket IDs which do not collide. Splunk willnot start if it encounters indexes with buckets that have colliding bucket IDs.When copying index data, you might need to rename the copied bucket files inorder to prevent this condition.

How to migrate

To migrate your system from one version of Splunk to another, follow theseinstructions:

1. Stop Splunk on the server from which you want to migrate.

2. Copy the entire contents of the $SPLUNK_HOME directory from the old serverto the new server.

Important: Be sure to note any considerations above which might apply to youwhen copying the files.

3. Install the appropriate version of Splunk for the target platform.

115

Note:

On *nix systems, you can extract the tar file you downloaded directly overthe copied files on the new system, or use your package manager toupgrade using the downloaded package.

•

On Windows systems, the installer updates the Splunk files automatically.•

4. Confirm that index configuration files (indexes.conf) contain the correctlocation and path specification for any non-default indexes.

5. Start Splunk on the new Splunk instance.

Note: On *nix systems, Splunk detects whether you are migrating and promptsyou on whether or not to upgrade at this time.

6. Log into Splunk. You should be able to log in with your existing credentials.

7. Once logged in, confirm that your data is intact by searching it.

How to move index buckets from one server to another

If you're retiring a Splunk server and immediately moving the data to anotherSplunk server, you can move individual buckets of an index between servers, aslong as:

The source and target systems have the same endianness.• You are not trying to restore a bucket created by a 4.2 or greater versionof Splunk to a version of Splunk less than 4.2.

•

To move a bucket from one server to another:

1. Roll any hot buckets on the source system from hot to warm.

2. On the target system, create index(es) that are identical to the ones on thesource system.

Note: Review indexes.conf on the old system to get a list of the indexes on thatsystem.

3. Copy the index buckets from the source system to the target system.

Note: When copying individual bucket files, you must make sure that no bucketIDs conflict on the new system. Otherwise, Splunk will not start. You might need

116

to rename individual bucket directories after you move them from the sourcesystem to the target system.

4. Restart Splunk.

Migrate to the new Splunk licenser

This topic discusses how to migrate your license configuration from a pre-4.2Splunk deployment to the 4.2+ licenser model.

Note: This topic does not cover upgrade of an entire Splunk deployment. Review"How to upgrade Splunk" in the Installation Manual before you upgrade yourSplunk deployment.

Before you proceed, you might want to review these topics:

Read "How Splunk licensing works" in the Admin manual for anintroduction to Splunk licensing.

•

Read "Groups, stacks, pools, and other terminology" in the Admin manualfor more information about Splunk license terms.

•

Old licenses

Migrating from an older version most likely puts you in one of these twocategories:

If you are currently running Splunk 4.0 or later, your license will work in 4.2and later.

•

If you're migrating from a version older than 4.0, you must contact yourSplunk Sales representative and arrange for a new license. Splunk alsorecommends you review the migration documentation before proceedingwith the migration. Depending on how old your version of Splunk is, youmight want to migrate in multiple steps (for example, first to 4.0, then 4.1,4.2, and finally 5.0+) to maintain your configurations.

•

Migrating search heads

If your search heads were previously using old forwarder licenses, they will beautomatically converted to be in the Download-trial group. Before you proceed,Splunk recommends adding your search heads to an established Enterpriselicense pool. Even if they have no indexing volume, this will enable Enterprise

117

features, especially alerting and authentication.

Migrate a standalone instance

If you've got a single 4.1.x Splunk indexer and it has a single license installed onit, you can just proceed as normal with your upgrade. Follow the instructions inthe Installation Manual for your platform, and be sure to read the "READ THISFIRST" documentation first.

Your existing license will work with the new licenser, and will show up as a validstack, with the indexer as a member of the default pool.

Migrate a distributed indexing deployment

If you've got multiple 4.1.x indexers, each with their own licenses, follow thesehigh-level steps in this order to migrate the deployment:

1. Designate one of your Splunk instances as the license master. If you've got asearch head, this is likely a good choice.

2. Install or upgrade the Splunk instance you have chosen to be the licensemaster, following the standard instructions in the Installation Manual.

3. Configure the license master to accept connections from the indexers asdesired.

4. Upgrade each indexer one at a time, following these steps:

Upgrade an indexer to 5.0 following the instructions in the InstallationManual. It will be operating as a stand-alone license master until youperform the following steps.

•

Make a copy of the indexer's Enterprise license file (pre-4.2 license filesare located in $SPLUNK_HOME/etc/splunk.license on each indexer) andinstall it onto the license master, adding it to the stack and pool to whichyou want to add the indexer.

•

Configure the indexer as a license slave and point it at the licensemaster.

•

On the license master, confirm that the license slave is connecting asexpected by navigating to Manager > Licensing and looking at the list ofindexers associated with the appropriate pool.

•

Once you've confirmed the license slave is connecting as expected,proceed to upgrade the next indexer, following the same steps.

•

118

Migrate forwarders

If you have deployed light forwarders, review the information in this chapterabout the universal forwarder in the Forwarding Data Manual. You can upgradeyour existing light forwarders to the universal forwarders, no licensingconfiguration is required--the universal forwarder includes its own license.

If you have deployed a heavy forwarder (a full instance of Splunk that performsindexing before forwarding to another Splunk instance), you can treat it like anindexer--add it to a license pool along with the other indexers.

119


Uninstall Splunk

This topic discusses how to remove Splunk from your system.

Before you uninstall, stop Splunk. Navigate to $SPLUNK_HOME/bin and type./splunk stop (or just splunk stop on Windows).

Uninstall Splunk with your package management utilities

Use your local package management commands to uninstall Splunk. In mostcases, files that were not originally installed by the package will be retained.These files include your configuration and index files which are under yourinstallation directory.

Note: $SPLUNK_HOME refers to the Splunk installation directory. On Windows, thisis C:\Program Files\Splunk by default. For most Unix platforms, the defaultinstallation directory is /opt/splunk; for Mac OS, it is /Applications/splunk.

RedHat Linux

To uninstall Splunk on RedHat:

rpm -e splunk_product_name

Debian Linux

To uninstall Splunk on Debian:

dpkg -r splunk

To purge (delete everything, including configuration files) on Debian:

dpkg -P splunk

120

FreeBSD

To uninstall Splunk from the default location on FreeBSD:

pkg_delete splunk

To uninstall Splunk from a different location on FreeBSD:

pkg_delete -p /usr/splunk splunk

Solaris

To uninstall Splunk on Solaris:

pkgrm splunk

HP-UX

To uninstall Splunk on HP-UX, you must stop Splunk, disable boot-start (if youconfigured it), and then delete the Splunk installation.

Note: The $SPLUNK_HOME variable refers to the directory where you installedSplunk.

1. Stop Splunk:

$SPLUNK_HOME/bin/splunk stop

2. If you enabled boot-start, run the following command as root:

$SPLUNK_HOME/bin/splunk disable boot-start

3. Delete the Splunk installation directories:

rm -rf $SPLUNK_HOME

Other things you may want to delete:

If you created any indexes and did not use the Splunk default path, youmust delete those directories as well.

•

121

If you created a user or group for running Splunk, you should also deletethem.

•

Windows

To uninstall Splunk on Windows:

Use the Add or Remove Programs option in the Control Panel. In Windows 7and Windows Server 2008, that option is available under Programs andFeatures.

You can also uninstall Splunk from the command line by using the msiexecexecutable against the Splunk installer package:

C:\> msiexec /x splunk-<version>-x64.msi

Note: Under some circumstances, the Microsoft installer might present a rebootprompt during the uninstall process. You can safely ignore this request withoutrebooting.

Uninstall Splunk manually

If you can't use package management commands, use these instructions touninstall Splunk.

Note: These instructions will not remove any init scripts that have beencreated.

1. Stop Splunk.

$SPLUNK_HOME/bin/splunk stop

2. Find and kill any lingering processes that contain "splunk" in its name.

For Linux and Solaris:

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

For FreeBSD and Mac OS

122

kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

3. Remove the Splunk installation directory, $SPLUNK_HOME. For example:

rm -rf /opt/splunk

Note: For Mac OS, you can also remove the installation directory by dragging thefolder into the trash.

3. Remove any Splunk datastore or indexes outside the top-level directory, if theyexist.

rm -rf /opt/splunkdata

4. Delete the splunk user and group, if they exist.

For Linux, Solaris, and FreeBSD:

userdel splunkgroupdel splunk

For Mac OS: You can use the System Preferences > Accounts panel tomanage users and groups.

For Windows: Open a command prompt and run the command msiexec /xagainst the msi package that you installed.

123

Reference

PGP Public Key

Following is the Pretty Good Privacy (PGP) public key for Splunk.

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+wnM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHnOyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpqWya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CPqFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxhY2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3BhapQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oUHeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZTiIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtgjOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKdqcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg964Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJKiF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJngp4s==Mz6T-----END PGP PUBLIC KEY BLOCK-----

Installing the key

Copy and paste the key into a file. Install the key using:

rpm --import <filename>

124

400 bad request 400 bad request nginx/1.2.9

Documents

splunk installation

splunk deployment

splunk apps

splunk architecture

install splunk enterprise

windows user splunk

insta splunk enterprise

windows installation