Splunk 6.2.2 Installation

8/9/2019 Splunk 6.2.2 Installation

http://slidepdf.com/reader/full/splunk-622-installation 1/116



Table of Contents

Welcome to the Splunk Enterprise Installation Manual...................................1

What's in this manual.......................... ......................................................1 What happened to parts of this manual?..................................................1

Plan your Splunk Enterprise installation...........................................................3 Installation overview..................................................................................3System requirements.................................................................................4 Splunk Enterprise architecture and processes........................................12 Information on Windows third-party binaries distributed with Splunk

Enterprise.................................................................................................15 Installation instructions............................................. ...............................17

Secure your Splunk Enterprise installation....................................................19 About securing Splunk Enterprise...........................................................19 Secure your system before you install Splunk Enterprise.......................19 Install Splunk Enterprise securely...........................................................19 More ways to secure Splunk Enterprise..................................................20

Install Splunk Enterprise on Windows.............................................................22Choose the Windows user Splunk Enterprise should run as...................22 Prepare your Windows network for an installation as a network or

domain user.............................................................................................26

Install on Windows..................................................................................37 Install on Windows via the command line...............................................44Correct the user selected during Windows installation............................51

Install Splunk Enterprise on Unix, Linux or Mac OS X...................................53 Install on Linux........................................................................................53 Install on Solaris...................................................................................... 57 Install on Mac OS X................................................................................61 Install on FreeBSD..................................................................................65 Install on AIX...........................................................................................69 Install on HP-UX......................................................................................72

Run Splunk Enterprise as a different or non-root user............................74

Start using Splunk Enterprise..........................................................................77 Start Splunk for the first time...................................................................77What happens next?................................................................................80 Learn about accessibility to Splunk Enterprise.......................................81

i



Table of Contents

Install a Splunk Enterprise license...................................................................83

About Splunk Enterprise licenses...........................................................83 Install a license........................................................................................83

Upgrade or migrate Splunk Enterprise............................................................86 How to upgrade Splunk Enterprise.........................................................86 About upgrading to 6.2 - READ THIS FIRST..........................................88 How Splunk Web procedures have changed from version 5 to

version 6...................................................................................................92 Changes for Splunk App developers.......................................................95 Upgrade to 6.2 on UNIX..........................................................................95 Upgrade to 6.2 on Windows....................................................................98 Migrate a Splunk Enterprise instance...................................................100 Migrate to the new Splunk Enterprise licenser......................................105

Uninstall Splunk Enterprise............................................................................108 Uninstall Splunk Enterprise...................................................................108

Reference..........................................................................................................112 PGP Public Key.....................................................................................112

ii



Welcome to the Splunk Enterprise

Installation Manual

What's in this manual

In the Installation Manu al , you can find:

System requirements•

Licensing information•

Procedures for installing•

Procedures for upgrading from a previous version•

...and more.

Note The Installation Manual details installing full Splunk Enterprise only. Toinstall the Splunk universal forwarder, see "Universal forwarder deploymentoverview" in the Forwarding Data Manual . Unlike Splunk heavy and lightforwarders, which are full Splunk Enterprise instances with some featureschanged or disabled, the universal forwarder is a separate executable with itsown set of installation procedures. For an introduction to forwarders, see "Aboutforwarding and receiving."

Find what you need

You can use the table of contents to the left of this panel, or search for what youwant in the search box in the upper right.

If you're interested in more specific scenarios and best practices, go to theSplunk Community Wiki to see how other users Splunk IT.

What happened to parts of this manual?

To better align our documentation and make it more accessible to our customers,we moved information not associated with installing Splunk Enterprise from thismanual to other manuals.

Most of the material has moved to the new Capacity Planning manual, whichtakes content from both this and the Distributed Deployment manual and puts it

1



all in one place.

2



Plan your Splunk Enterprise installation

Installation overview

This topic discusses the steps required to install Splunk Enterprise on acomputer. Read this topic and the contents of this chapter before you installSplunk Enterprise.

Installation basics

1. Review the system requirements for installation. Additional requirements mightapply based on the operating system on which you install Splunk Enterprise andhow you plan to use Splunk Enterprise.

2. See "Components of a Splunk Enterprise deployment" to learn about theSplunk Enterprise ecosystem, and "Splunk architecture and processes" to learnwhat the installer puts on your computer.

3. See "Secure your Splunk Enterprise installation" and, where appropriate,secure the machine on which you plan to install Splunk Enterprise.

4. Download the installation package for your system from the Splunk Enterprisedownload page.

5. Perform the installation by using the step-by-step installation instructions foryour operating system.

6. If this is the first time you have installed Splunk Enterprise, see the Search Tutorial to learn how to index data into Splunk and search that data using theSplunk Enterprise search language.

7. After you install Splunk Enterprise, calculate how much space you need toindex your data. See "Estimate your storage requirements" for more information.

8. To run Splunk Enterprise in a production environment and to understand howmuch hardware such an environment requires, see the Capacity Planning manual.

3



Upgrading or migrating a Splunk Enterprise instance?

To upgrade from an earlier version of Splunk Enterprise, see "How to upgradeSplunk Enterprise" in this manual for information and specific instructions. Fortips on migrating from one version to another, see the "READ THIS FIRST" topic

for the version that you want to upgrade to. This topic is in "Upgrade or MigrateSplunk Enterprise" in this manual.

If you want to know how to move a Splunk Enterprise instance from one systemto another, see "Migrate a Splunk instance" in this manual.

System requirements

Before you download and install Splunk Enterprise, read this topic to learn about

which computing environments Splunk supports. Refer to the download page forthe latest version to download. See the release notes for details on known andresolved issues.

For a discussion of hardware planning for deployment, see the new CapacityPlanning manual.

If you have ideas or requests for new features to add to future releases, contactSplunk Support. You can also review our product road map.

Supported server hardware architecturesSplunk offers support for 32 and 64-bit architectures on some platforms. See thedownload page for details.

Supported Operating Systems

Review the following tables when you research the system requirements. SplunkEnterprise availability has changed from previous versions.

The tables list the computing platforms for which Splunk Enterprise is available.

The first table lists availability for *nix operating systems, and the second tablelists availability for Windows operating systems.

Determine whether Splunk Enterprise is available for your platform.

4



1. Find the operating system on which you want to install Splunk Enterprise in theleft column.

2. Read across the columns to find the computing architecture in the centercolumn that matches your environment.

The tables show availability for two types of Splunk software, as shown in the twocolumns on the right: Splunk Enterprise/Trial and Splunk Universal Forwarder. A'?' in the box that intersects your computing platform and the Splunk softwaretype means that Splunk software is available for that platform. An empty boxmeans that Splunk is not available for that platform. If you do not see yourplatform or architecture listed, Splunk is not available for that platform andarchitecture.

Some boxes have other characters. See the bottom of each table to find out whatthe additional characters represent.

Unix operating systems

Operatingsystem

Architecture Enterprise Free TrialUniversalForwarder

Solaris 10 and11*

x86 (64-bit) ? ? ? ?

SPARC ? ? ? ?

x86 (32-bit) * * * *

Linux, 2.6+ x86 (64-bit) ? ? ? ?x86 (32-bit) ? ? ? ?

Linux, 3.0+x86 (64-bit) ? ? ? ?

x86 (32-bit) ? ? ? ?

PowerLinux,2.6+

PowerPC ?

zLinux, 2.6+ s390x ?

FreeBSD 7** x86 (32-bit) ?

FreeBSD 8 x86 (64-bit) ? ? ? ?x86 (32-bit) ?

FreeBSD 9 x86 (64-bit) ? ? ? ?

Mac OS X 10.8,10.9, and 10.10

Intel ? ? ?

5



AIX 6.1 and 7.1 PowerPC ? ? ? ?

HP/UX? 11i v2and 11i v3

Itanium ?

* Splunk Enterprise is available and supported on Solaris 10. Solaris 11 does not

support 32-bit Splunk Enterprise installs.** Read the notes on FreeBSD 7 compatibility below.? You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

The table lists the Windows computing platforms that Splunk Enterprise isavailable for.

Operatingsystem

Architecture Enterprise Free TrialUniversalForwarder

Windows Server2003 and Server2003 R2

x86 (64-bit) ?

x86 (32-bit) ?

Windows Server2008

x86 (64-bit) ? ? ? ?

x86 (32-bit) *** *** *** ?

Windows Server2008 R2, Server2012, andServer 2012 R2

x86 (64-bit) ? ? ? ?

Windows 7x86 (64-bit) ? ? ?

x86 (32-bit) *** *** ?

Windows 8x86 (64-bit) ? ? ?

x86 (32-bit) *** *** ?

Windows 8.1x86 (64-bit) ? ? ?

x86 (32-bit) *** *** ?

*** This version of Splunk Enterprise is supported but is not recommended onthis platform and architecture.

Operating system notes and additional information

6



Windows

Certain parts of Splunk Enterprise on Windows require elevated userpermissions to function properly. For information about what is required, see thefollowing topics:

"Splunk architecture and processes" in this manual.•

"Choose the user Splunk should run as" in this manual.•

"Considerations for deciding how to monitor remote Windows data" in theGetting Data In manual.

•

FreeBSD 7.x

To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. SplunkSupport supplies best effort support for users running on FreeBSD 7.x. See"Install Splunk on FreeBSD 7" in the Community Wiki.

Deprecated operating systems and features

As we version the Splunk product, we gradually deprecate support of olderoperating systems. See "Deprecated features" in the Release Notes forinformation on which platforms and features have been deprecated or removedentirely.

Creating and editing configuration files on non-UTF-8 OSes

Splunk Enterprise expects configuration files to be in ASCII or UniversalCharacter Set Transformation Format-8-bit (UTF-8) format. If you edit or create aconfiguration file on an OS that does not use UTF-8 character set encoding, thenensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurationsexcept for the following:

AIX•

HP/UX on PA-RISC architecture•

Solaris 9•

See "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6support.

7



Supported browsers

Splunk Enterprise supports the following browsers:

Firefox ESR (24.2) and latest•

Internet Explorer 9, 10, and 11•

Safari (latest)•

Chrome (latest)•

Make sure that you have the latest version of Adobe Flash installed to render anycharts that use options not supported by the JSChart module. For information,see "About JSChart" in Developing Views and Apps for Splunk Web .

Note Do not use Internet Explorer in compatibility mode when you access SplunkWeb. Splunk Web warns you that your browser is not supported. If you must useIE in compatibility mode for other applications, you must use a supportedbrowser for Splunk Web. Internet Explorer version 9 does not support fileuploads. Use IE version 10 or later.

Recommended hardware

If you are performing a comprehensive evaluation of Splunk Enterprise forproduction deployment, use hardware typical of your production environment.This hardware should meet or exceed the recommended hardware capacityspecifications below.

For a discussion of hardware planning for production deployment, see"Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning manual.

Splunk Enterprise and virtual machines

If you run Splunk Enterprise in a virtual machine (VM) on any platform,performance degrades. This is because virtualization works by abstracting thehardware on a system into resource pools from which VMs defined on thesystem draw as needed. Splunk Enterprise needs sustained access to a numberof resources, particularly disk I/O, for indexing operations. Running Splunk in aVM or alongside other VMs can cause reduced indexing and searchperformance.

8



Recommended and minimum hardware capacity

PlatformRecommended hardware

capacity/configuration

Minimumsupportedhardware

capacity

Non-Windowsplatforms

2x six-core, 2+ GHz CPU, 12GB RAM,Redundant Array of Independent Disks(RAID) 0 or 1+0, with a 64 bit OS installed.

1x1.4GHz CPU,1GB RAM

Windowsplatforms

2x six-core, 2+ GHz CPU, 12GB RAM,RAID 0 or 1+0, with a 64-bit OS installed.

Intel Nehalem CPUor equivalent at2GHz, 2GB RAM

RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0configuration meets your data reliability needs before deploying a Splunk indexer

on a system configured with RAID 0.

All configurations other than universal and light forwarder instancesrequire at least the recommended hardware configuration.

•

The minimum supported hardware guidelines are designed for personaluse of Splunk. The requirements for Splunk in a production environmentare significantly higher.

•

Important: For all installations, including forwarders, you must have a minimumof 5GB of hard disk space available in addition to the space required for anyindexes. See "Estimate your storage requirements" in the Capacity Planning

Manual for more information.

Hardware requirements for universal and light forwarders

Recommended Dual-core 1.5GHz+ processor, 1GB+ RAM

Minimum 1.0Ghz processor, 512MB RAM

Supported file systems

Platform File systems

Linux ext2/3/4, reiser3, XFS, NFS 3/4Solaris UFS, ZFS, VXFS, NFS 3/4

FreeBSD FFS, UFS, NFS 3/4, ZFS

Mac OS X HFS, NFS 3/4

9



AIX JFS, JFS2, NFS 3/4

HP-UX VXFS, NFS 3/4

Windows NTFS, FAT32

Note: If you run Splunk Enterprise on a file system that is not listed, Splunk

Enterprise might run a startup utility named locktest to test the viability of a filesystem for running Splunk Enterprise. Locktest is a program that tests the startup process. If locktest runs and fails, then the file system is not suitable forrunning Splunk Enterprise.

Considerations regarding file descriptor limits (FDs) on *nix systems

Splunk Enterprise allocates file descriptors on *nix systems for actively monitoredfiles, forwarder connections, deployment clients, users running searches, and soon.

Usually, the default file descriptor limit (controlled by the ulimit -n command ona *nix-based OS) is 1024. Your Splunk administrator determines the correctlevel, but it should be at least 8192. Even if Splunk Enterprise allocates a singlefile descriptor for each of the activities, it is easy to see how a few hundred filesbeing monitored, a few hundred forwarders sending data, and a handful of veryactive users on top of reading and writing to and from the datastore can exhaustthe default setting.

The more tasks your Splunk Enterprise instance is doing, the more FDs it needs.You should increase the ulimit value if you start to see your instance run into

problems with low FD limits.

See about ulimit in the Troubleshooting Manual.

This consideration is not applicable to Windows-based systems.

Considerations regarding Network File System (NFS)

When you use Network File System (NFS) as a storage medium for Splunkindexing, consider all of the ramifications of file level storage.

Use block level storage rather than file level storage for indexing your data.

In environments with reliable, high-bandwidth low-latency links, or with vendorsthat provide high-availability, clustered network storage, NFS can be anappropriate choice. However, customers who choose this strategy should workwith their hardware vendor to confirm that the storage platform they choose

10



performs to the specification in terms of both performance and data integrity.

If you use NFS, be aware of the following issues:

Splunk Enterprise does not support "soft" NFS mounts. These are mounts

that cause a program attempting a file operation on the mount to report anerror and continue in case of a failure.

•

Only "hard" NFS mounts (mounts where the client continues to attempt tocontact the server in case of a failure) are reliable with Splunk Enterprise.

•

Do not disable attribute caching. If you have other applications that requiredisabling or reducing attribute caching, then you must provide SplunkEnterprise with a separate mount with attribute caching enabled.

•

Do not use NFS mounts over a wide area network (WAN). Doing socauses performance issues and can lead to data loss.

•

Considerations regarding solid state drives

Solid state drives (SSDs) deliver significant performance gains over conventionalhard drives for Splunk in "rare" searches - searches that request small sets ofresults over large swaths of data - when used in combination with bloom filters.They also deliver performance gains with concurrent searches overall.

Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)

Splunk Enterprise supports the use of the CIFS/SMB protocol for the following

purposes, on shares hosted by Windows machines only:

Search head clustering.•

Storage of cold or frozen Index buckets.•

When you use a CIFS resource for storage, make sure that you configure theresource for write permissions for the user that connects to the resource at boththe file and share levels. If you use a third-party storage device, ensure that itsimplementation of CIFS is compatible with the implementation that your SplunkEnterprise instance runs as a client.

Do not attempt to index data to a mapped network drive on Windows (forexample "Y:\" mapped to an external share.) Splunk Enterprise disables anyindex it encounters with a non-physical drive letter.

11



Considerations regarding environments that use the transparent huge pages memory management scheme

If you run a Unix environment that makes use of transparent huge memorypages, see "Transparent huge memory pages and Splunk performance" before

you attempt to install Splunk Enterprise.

No such scheme exists on Windows operating systems.

Splunk Enterprise architecture and processes

This topic discusses the internal architecture and processes of Splunk Enterpriseat a high level. If you're looking for information about third-party componentsused in Splunk Enterprise, see the credits section in the Release notes.

Splunk Enterprise Processes

A Splunk Enterprise server installs a process on your host, splunkd.

splunkd is a distributed C/C++ server that accesses, processes and indexesstreaming IT data. It also handles search requests. splunkd processes andindexes your data by streaming it through a series of pipelines, each made up ofa series of processors.

Pipelines are single threads inside the splunkd process, each configuredwith a single snippet of XML.

•

Processors are individual, reusable C or C++ functions that act on thestream of IT data passing through a pipeline. Pipelines can pass data toone another through queues. splunkd supports a command-line interfacefor searching and viewing results.

•

New for version 6.2, splunkd also provides the Splunk Web user interface.It allows users to search and navigate data stored by Splunk servers andto manage your Splunk deployment through a Web interface. Itcommunicates with your Web browser through REpresentational StateTransfer (REST).

•

splunkd runs a Web server on port 8089 with SSL/HTTPS turned on bydefault.•

It also runs a Web server on port 8000 with SSL/HTTPS turned off bydefault.

•

12



splunkweb installs as a legacy-only service on Windows only. Prior to version 6.2,it provided the Web interface for Splunk Enterprise. Now, it installs and runs, butquits immediately. You can configure it to run in "legacy mode" by changing aconfiguration parameter.

On Windows systems, splunkweb.exe is a third-party, open-source executablethat Splunk Enterprise renames from pythonservice.exe. Because it is arenamed file, it does not contain the same file version information as otherSplunk Enterprisefor Windows binaries.

Read information on other Windows third-party binaries distributed with SplunkEnterprise.

Splunk Enterprise and Windows in Safe Mode

Neither the splunkd, the splunkweb, nor the SplunkForwarder services starts if

Windows is in Safe Mode. If you attempt to start Splunk Enterprise from the StartMenu while in Safe Mode, Splunk Enterprise does not alert you to the fact that itsservices are not running.

Additional processes for Splunk Enterprise on Windows

On Windows instances of Splunk Enterprise, in addition to the two servicesdescribed, Splunk Enterprise uses additional processes when you create specificdata inputs on a Splunk Enterprise instance. These inputs run when configuredby certain types of Windows-specific data input.

splunk.exe

splunk.exe is the control application for the Windows version of SplunkEnterprise. It provides the command-line interface (CLI) for the program. It letsyou start, stop, and configure Splunk Enterprise, similar to the *nix splunk

program.

Important: splunk.exe requires an elevated context to run because of how itcontrols the splunkd and splunkweb processes. Splunk Enterprise might notfunction correctly if this executable is not given the appropriate permissions on

your Windows system. This is not an issue if you install Splunk Enterprise as theLocal System user.

13



splunk-admon

splunk-admon.exe is spawned by splunkd whenever you configure an ActiveDirectory (AD) monitoring input. splunk-admon attachs to the nearest availableAD domain controller and gathers change events generated by AD. Splunk

Enterprise stores these events in an index.

splunk-perfmon

splunk-perfmon.exe runs when you configure Splunk to monitor performancedata on the local machine. This service attaches to the Performance Data Helperlibraries, which query the performance libraries on the system and extractperformance metrics both instantaneously and over time.

splunk-netmon

splunk-netmon runs when you configure Splunk to monitor Windows networkinformation on the local machine.

splunk-regmon

splunk-regmon.exe runs when you configure a Registry monitoring input inSplunk. This input initially writes a baseline for the Registry as it currently exists(if desired), then monitors changes to the Registry over time. Those changescome back into Splunk as searchable events.

splunk-winevtlog

You can use this utility to test defined event log collections, and it outputs eventsas they are collected for investigation. Splunk has a Windows event log inputprocessor built into the engine.

splunk-winhostmon

splunk-winhostmon runs when you configure a Windows host monitoring input inSplunk. This input gets detailed information about Windows hosts.

splunk-winprintmon

splunk-winprintmon runs when you configure a Windows print monitoring inputin Splunk. This input gets detailed information about Windows printers and print

jobs on the local system.

14



splunk-wmi

When you configure a performance monitoring, event log or other input against aremote computer, this program starts up. Depending on how you configure theinput, either it attempts to attach to and read Windows event logs as they come

over the wire, or it executes a Windows Query Language (WQL) query againstthe Windows Management Instrumentation (WMI) provider on the specifiedremote machine(s). Splunk then stores the events.

Architecture diagram

Information on Windows third-party binariesdistributed with Splunk Enterprise

This topic provides additional information on the third-party Windows binariesthat the Splunk Enterprise and the Splunk universal forwarder packages include.

For more information about Splunk's universal forwarder, read "Deploy theuniversal forwarder" in the Forwarding Data Manual.

Third-party Windows binaries included with Splunk Enterprise

The following third-party Windows binaries ship with Splunk Enterprise. Exceptwhere indicated, only the Splunk Enterprise product includes these binaries.

These binaries provide functionality to Splunk Enterprise as shown in theirindividual descriptions. None of them contains file version information orauthenticode signatures (certificates that prove the binary file's authenticity).Additionally, Splunk Enterprise does not provide support for debug symbolsrelated to third-party modules.

15



to define transformation for XML. Libxslt is based on libxml2 the XML C librarydeveloped for the GNOME project. It also implements most of the EXSLT set ofprocessor-portable extensions functions and some of Saxon's evaluate andexpressions extensions.

Both Splunk Enterprise and the Splunk universal forwarder include this binary.

Minigzip.exe

Minigzip.exe is the minimal implementation of the ?gzip? compression tool.

Openssl.exe

The OpenSSL Project is a collaborative effort to develop a robust,commercial-grade, full-featured, and open source toolkit implementing theSecure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)

protocols as well as a full-strength general purpose cryptography library.

Both Splunk Enterprise and the Splunk universal forwarder include this binary.

Python.exe

Python.exe is the Python programming language binary for Windows.

Pythoncom.dll

Pythoncom.dll is a module that encapsulates the Object Linking and Embedding(OLE) automation API for Python.

Pywintypes27.dll

Pywintypes27.dll is a module that encapsulates Windows types for Pythonversion 2.7.

Installation instructions

You can get detailed installation procedures for your operating system:

Windows•

Windows (from the command line)•

Linux•

Solaris•

17



Mac OS X•

FreeBSD•

AIX•

HP-UX•

18



Secure your Splunk Enterprise installation

About securing Splunk Enterprise

When you set up and begin using your Splunk Enterprise installation or upgrade,perform some additional steps to ensure that Splunk Enterprise and your dataare secure. Taking the proper steps to secure Splunk Enterprise reduces itsattack surface and mitigates the risk and impact of most vulnerabilities.

This section highlights some of the ways that you can secure Splunk Enterprisebefore, during, and after installation. The Securing Splunk Enterprise manualprovides more information about the ways you can secure Splunk Enterprise.

Secure your system before you install SplunkEnterprise

Before you install Splunk Enterprise, be sure that your operating system issecure. Make sure that you harden all Splunk Enterprise server operatingsystems.

If your organization does not have internal hardening standards, use theCIS hardening benchmarks.

•

As a minimum, limit shell/command line access to your Splunk Enterpriseservers.•

Secure physical access to all Splunk Enterprise servers.•

Ensure that Splunk Enterprise end users practice sound physical andendpoint security.

•

Install Splunk Enterprise securely

Verify integrity and signatures for your Splunk Installation when you download

and install Splunk Enterprise.

Verify Integrity

Verify your Splunk Enterprise download using hash functions such as MessageDigest 5 (MD5) and SHA-512 to compare the hashes. Use a trusted version of

19



OpenSSL. For example:./openssl dgst -md5 <filename-splunk-downloaded.zip>

or./openssl dgst -sha512 <filename-splunk-downloaded.zip>

Verify Signatures

Verify the authenticity of the downloaded RPM package by using the SplunkGnuPG Public key.

1. Download the GnuPG Public key file. (This link is over TLS.)

2. Install the key by using:

rpm --import <filename>

3. Verify the package signature by using:

rpm -K <filename>

More ways to secure Splunk Enterprise

After you install Splunk Enterprise, you have more options to secure yourconfiguration.

Configure user authentication and role-based access control

Set up users and use roles to control access. Splunk Enterprise lets youconfigure users in several ways.

The built-in authentication system. See "Set up user authentication withSplunk Enterprise native authentication."

•

LDAP. See "Set up user authentication with LDAP."•

A scripted authentication API for use with an external authenticationsystem, such as Pluggable Authentication Modules (PAM) or RemoteAccess Dial-In User Server (RADIUS). See "Set up user authenticationwith external systems."

•

20



After you configure users, you can assign roles that determine and controlcapabilities and access levels. See "About role-based user access."

Use SSL certificates to configure encryption andauthentication

Splunk Enterprise comes with a set of default certificates and keys that, whenenabled, provide encryption and data compression. You can also use your owncertificates and keys to secure communications between your browser andSplunk Web as well as data sent from forwarders to a receiver, such as anindexer.

See "About securing Splunk with SSL" in this manual.

Audit Splunk Enterprise

Splunk Enterprise includes audit features to allow you to track the reliability ofyour data. Explore some of the ways that you can audit Splunk Enterprise.

Monitor Files and Directories•

Audit Splunk activity•

Harden your Splunk Enterprise installation

Take the following steps to harden your Splunk Enterprise installation.

Deploy secure passwords across multiple servers•

Use Splunk Access Control Lists•

Secure your service accounts•

Disable unnecessary Splunk components•

Secure Splunk on your network•

21



Install Splunk Enterprise on Windows

Choose the Windows user Splunk Enterprise

should run as

This topic discusses how to choose which Windows user Splunk Enterpriseshould run as when you install Splunk Enterprise on Windows.

When you run the Windows Splunk Enterprise installer, it presents you with theoption to select the user that Splunk Enterprise should run as. Read this topicbefore you install to understand the ramifications of choosing the user type.

The user you choose depends on what you want Splunk

Enterprise to monitor

The user Splunk Enterprise runs as determines what it can monitor. The LocalSystem user has access to all data on the local machine, but nothing else. A userother than Local System has access to whatever data you want it to, but give theuser that access before you install Splunk Enterprise.

If you know that the computer on which you are installing Splunk Enterprise willnot access remote Windows data, then see "Install on Windows" in this manual.To install using the command prompt, see "Install on Windows via the command

line."

If you might need to access remote Windows data, then continue with this topicto learn about the user you should install Splunk Enterprise as.

About the "Local System user" and "other user" choices

The Windows Splunk Enterprise installer provides two ways to install it: as theLocal System user or as another existing user on your Windows computer ornetwork, which you designate.

To do any of the following actions with Splunk Enterprise, you must install it as adomain user:

Read Event Logs remotely•

Collect performance counters remotely•

Read network shares for log files•

22



Enumerate the Active Directory schema using Active Directory monitoring•

This is not an all-inclusive list.

The user that you specify must meet the following requirements:

Be a member of the Active Directory domain or forest that you want tomonitor (when using AD).

•

Be a member of the local Administrators group on the server on which youinstall Splunk Enterprise.

•

Have specific user security rights assigned to it before you install SplunkEnterprise. See "Minimum permissions requirements" later in this topic forspecific information.

•

Caution If the user does not satisfy these minimum requirements, SplunkEnterprise installation might fail. Even if installation succeeds, Splunk Enterprise

might not run correctly, or at all.

The user also has unique password constraints. See "Splunk user accounts andpassword concerns" later in this topic for specifics.

If you are not sure which user Splunk Enterprise should run as, then see"Considerations for deciding how to monitor remote Windows data" in the Getting Data In manual for information on how to configure the Splunk Enterprise userwith the access it needs.

User accounts and password concerns

An issue that arises when you install Splunk Enterprise with a user account isthat any active password enforcement security policy controls the password'svalidity. If your Windows server or network enforces password changes, considerthe following issues:

Before the password expires, change it, reconfigure Splunk Enterpriseservices on every machine to use the changed password, and then restartSplunk Enterprise.

•

Configure the account so that its password never expires.•

Use a managed service account. See "Use managed service accounts onWindows Server 2008, Server 2012, and Windows 7" in this topic.

•

23



Use managed service accounts on Windows Server 2008, Windows Server 2012, Windows 7, and Windows 8.x

If you run Windows Server 2008, Windows Server 2008 R2, Windows Server2012, Windows Server 2012 R2, Windows 7, or Windows 8.x in Active Directory,

and your AD domain has at least one Windows Server 2008 R2 or Server 2012domain controller, you can install Splunk Enterprise to run as a managed serviceaccount (MSA).

The benefits of using an MSA are:

Increased security from the isolation of accounts for services.•

Administrators no longer need to manage the credentials or administer theaccounts. Passwords automatically change after they expire. You do nothave to manually set passwords or restart services associated with theseaccounts.

•

Administrators can delegate the administration of these accounts tonon-administrators.

•

Some important things to understand before you install Splunk Enterprise with anMSA are:

The MSA requires the same permissions as a domain account on themachine that runs Splunk Enterprise.

•

The MSA must be a local administrator on the machine that runs SplunkEnterprise.

•

You cannot use the same account on different computers, as you wouldwith a domain account.•

You must correctly configure and install the MSA on the machine that runsSplunk Enterprise before you install Splunk Enterprise on the machine.See "Service Accounts Step-by-Step Guide"(http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx)on MS Technet.

•

To install Splunk Enterprise using an MSA, see "Prepare your Windows networkfor a Splunk Enterprise installation as a network or domain user" in this manual.

Security and remote access considerations

Minimum permissions requirements

If you install Splunk Enterprise as a domain user, then a minimum number ofpermissions are required on the server that runs the software.

24



The following is a list of the minimum user rights and permissions that thesplunkd and splunkforwarder services require when you install SplunkEnterprise using a domain user. Depending on the sources of data you want tomonitor, the Splunk Enterprise user might need additional permissions.

Required basic permissions for the splunkd or splunkforwarder services

Full control over the Splunk Enterprise installation directory.•

Read access to any flat files that you want to index.•

Required Local/Domain Security Policy user rights assignments for the splunkd orsplunkforwarder services

Permission to log on as a service.•

Permission to log on as a batch job.•

Permission to replace a process-level token.•

Permission to act as part of the operating system.•

Permission to bypass traverse checking.•

Caution If you do not assign these permissions to the Splunk Enterprise userbefore installation you might have a failed Splunk Enterprise installation, or aninstallation that does not function correctly, or at all.

Note Splunk Enterprise does not require these permissions when it runs as theLocal System account.

How to assign these permissions

This section contains concepts about how to assign the appropriate user rightsand permissions to the Splunk Enterprise service account before you install. Forinstructions, see "Prepare your Windows network for a Splunk Enterpriseinstallation as a network or domain user" in this manual.

Use Group Poli cy to assign rights to multiple machines

To assign the policy settings to a number of workstations and servers in your ADdomain or forest, you can define a Group Policy object (GPO) with these specific

rights, and deploy that GPO across the domain. See "Prepare your Windowsnetwork for a Splunk Enterprise installation as a network or domain user" in thismanual.

After you create and enable the GPO, the workstations and servers in yourdomain pick up the changes either during the next scheduled AD replication

25



cycle (usually every 1.5 to 2 hours) or at the next boot time. Alternatively, youcan force AD replication by using the GPUPDATE command-line utility on the serveron which you want to update Group Policy.

When you set user rights, rights assigned by a GPO override identical Local

Security Policy rights on a machine. You cannot change this setting. To retainexisting rights that are defined through Local Security Policy on a machine, youmust also assign these rights within the GPO.

Troubleshoot permissions issues

The rights described are the rights that the splunkd and splunkforwarder

services require. Other rights might be needed, depending on your usage andwhat data you want to access. Many user rights assignments and other GroupPolicy restrictions can prevent Splunk Enterprise from running. If you haveproblems, consider using a tool such as Process Monitor or GPRESULT to

troubleshoot GPO application in your environment.

Prepare your Windows network for an installationas a network or domain user

Important security information

These instructions require full administrative access to the computerand/or Active Directory domain you want to prepare for Splunk Enterprise

operations. Do not attempt to perform this procedure without this access.

The instructions require you to make changes to your Windows network.Because of the low-level access requirements for Splunk Enterprise operations,these changes are necessary if you want to run Splunk Enterprise as a userother than the Local System user. This can present a significant security risk.

To mitigate that risk, you can also prevent the user that Splunk Enterprise runsas from logging in interactively, as well as limit the number of workstations fromwhere the user can log in.

Do not perform the instructions if you do not understand the security risksthat come with them.

•

Do not perform the instructions if you plan to install Splunk Enterprise orthe universal forwarder as the "Local System" user.

•

26



You can prepare your Windows network to allow Splunk Enterprise installation asa network or domain user other than the "Local System" user.

The instructions have been tested for Windows Server 2008 R2, Windows Server2012 and Windows Server 2012 R2, and might differ for other versions of

Windows.

The rights you assign using these instructions are the minimum rights requiredfor a successful Splunk Enterprise installation. You might need to assignadditional rights, either within the Local Security Policy or a Group Policy object(GPO), or to the user and group accounts you create, for Splunk Enterprise toaccess the data you want.

Prepare Active Directory for Splunk installation as a domainuser

Prepare your Active Directory to allow for installations of Splunk Enterprise or theSplunk universal forwarder as a domain account.

Follow Microsoft's Best Practices(http://technet.microsoft.com/en-us/library/bb727085.aspx) when you createusers and groups. This typically involves creating a specific Organizational Unitfor groups within the organization.

You must meet the following requirements:

You run Active Directory.•

You are a domain administrator for the AD domains that you want toconfigure.

•

The computers on which you plan to install Splunk Enterprise aremembers of the AD domain.

•

Create groups

1. Run the Active Directory Users and Computers tool by selecting Start >Administrative Tools > Active Directory Users and Computers.

2. After the program loads, select the domain that you want to prepare for SplunkEnterprise operations.

3. Double-click an existing container folder, or create an Organization Unit byselecting New > Group from the Action menu.

27



4. Select Action > New > Group.

5. Type a name that represents Splunk Enterprise user accounts, for example,Splunk Accounts.

6. Ensure that the Group scope is set to Domain Local and Group type is setto Security.

7. Click OK to create the group.

8. Create a second group and specify a name that represents Splunk Enterpriseenabled computers, for example, Splunk Enabled Computers. This groupcontains computer accounts that are assigned the permissions to run SplunkEnterprise as a domain user.

9. Ensure that the Group scope is set to Domain Local and Group type is set

to Security.

Assign users and computers to groups

If you have not created the user accounts that you want to use to run SplunkEnterprise, now is a good time to do so. Follow Microsoft best practices forcreating users and groups if you do not have your own internal policy.

After you create the user accounts, add the accounts to the Splunk Accountsgroup, and add the computer accounts of the computers that will run Splunk

Enterprise to the Splunk Enabled Computers group.

After you do, you can exit Active Directory Users and Computers.

Define a Group Policy object (GPO)

1. Run the Group Policy Management Console (GPMC) tool by selecting Start> Administrative Tools > Group Policy Management.

2. In the tree view pane on the left, select Domains.

3. Click the Group Policy Objects folder.

4. In the Group Policy Objects in <your domain> folder, right-click and selectNew.

28



5. Type a name that represents the fact that the GPO will assign user rights tothe servers you apply it to. For example, "Splunk Access."

6. Leave the Source Starter GPO field set to "(none)".

7. Click OK to save the GPO.

Add rights to the GPO

1. While in the GPMC, right-click on the newly created group policy object andselect Edit.

2. In the Group Policy Management Editor, in the left pane, browse toComputer Configuration -> Policies -> Windows Settings -> SecuritySettings -> Local Policies -> User Rights Assignment.

a. In the right pane, double-click on the Act as part of the operatingsystem entry.

b. In the window that opens, check the Define these policy settingscheckbox.

c. Click Add User or Group?

d. In the dialog that opens, click Browse?

e. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Accounts" group youcreated earlier, then click Check Names?

Windows underlines the name if it is valid. Otherwise it tells youthat it cannot find the object and prompts you for an object nameagain.

f. Click OK to close the "Select Users?" dialog.

g. Click OK again to close the "Add User or Group" dialog.

h. Click OK again to close the rights properties dialog.

3. Repeat Steps 2a-2h for the following additional rights:

Bypass traverse checking•

29



Log on as a batch job•

Log on as a service•

Replace a process-level token•

Change per-server Administrators group membership

The following steps restrict who is a member of the Administrators group on theserver(s) to which you apply this GPO.

Caution: Make sure to add all accounts that need access to the Administratorsgroup on each server to the Restricted Groups policy setting. Failure to do so cancause you to lose administrative access to the servers to which you apply thisGPO!

1. While still in the Group Policy Management Editor window, in the left pane,browse to Computer Configuration -> Policies -> Windows Settings ->

Security Settings -> Restricted Groups.

a. In the right pane, right-click and select Add Group? in the pop-up menuthat appears.

b. In the dialog that appears, type in Administrators and click OK.

c. In the properties dialog that appears, click the Add button next toMembers of this group:.

d. In the Add Member dialog that appears, click Browse?"

e. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Accounts" group youcreated earlier, then click Check Names?


f. Click OK to close the Select Users? dialog.

g. Click OK again to close the "Add User or Group" dialog.

h. Click OK again to close the group properties dialog.

2. Repeat Steps 1a-1h for the following additional users or groups:

30



Domain Admins•

any additional users who need to be a member of the Administratorsgroup on every server to which you apply the GPO.

•

3. Close the Group Policy Management Editor window to save the GPO.

Restrict GPO application to select computers

1. While still in the GPMC, in the GPMC's left pane, select the GPO you createdand added rights to, if it is not already selected.

GPMC displays information about the GPO in the right pane.

2. In the right pane, under Security Filtering, click Add?

3. In the Select User, Computer, or Group dialog that appears, type in "Splunk

Enabled Computers" (or the name of the group that represents Splunk-enabledcomputers that you created earlier.)

4. Click Check Names. If the group is valid, Windows underlines the name.Otherwise, it tells you it cannot find the object and prompts you for an objectname again.

5. Click OK to return to the GPO information window.

6. Repeat Steps 2-5 to add the "Splunk Accounts" group (the group that

represents Splunk user accounts that you created earlier.)

7. Under Security Filtering, click the Authenticated Users entry to highlight it.

8. Click Remove.

GPMC removes the "Authenticated Users" entry from the "SecurityFiltering" field, leaving only "Splunk Accounts" and "Splunk EnabledComputers."

Apply the GPO

1. While still in the GPMC, in the GPMC's left pane, select the domain that youwant to apply the GPO you created.

2. Right click on the domain, and select Link an Existing GPO? in the menu thatpops up.

31



Note: If you only want the GPO to affect the OU that you created earlier, thenselect the OU instead and right-click to bring up the pop-up menu.

3. In the Select GPO dialog that appears, select the GPO you created andedited, and click OK. GPMC applies the GPO to the selected domain.

4. Close GPMC by selecting File > Exit from the GPMC menu.

Note: Active Directory controls when Group Policy updates occur and GPOs getapplied to computers in the domain. Typically, replication happens every 90-120minutes. You must wait this amount of time before attempting to install Splunk asa domain user. Alternatively, you can force a Group Policy update by runningGPUPDATE /FORCE from a command prompt on the computer on which you want toupdate Group Policy.

Install Splunk with a managed system account

Alternatively, you can install Splunk Enterprise with a managed system account.Follow these instructions to do so:

1. Create and configure the MSA that you plan to use to monitor Windows data.

Note: You can use the instructions in "Prepare your Active Directory to runSplunk Enterprise services as a domain account" earlier in this topic to assign theMSA the appropriate security policy rights and group memberships.

2. Install Splunk from the command line as the "Local System" user.

Important: You must install Splunk Enterprise from the command line and usethe LAUNCHSPLUNK=0 flag to keep Splunk Enterprise from starting after installationis completed.

3. After installation is complete, use the Windows Explorer or the ICACLS

command line utility to grant the MSA "Full Control" permissions to the SplunkEnterprise installation directory and all its sub-directories.

Note: You might need to break NTFS permission inheritance from parent

directories above the Splunk Enterprise installation directory and explicitly assignpermissions from that directory and all subdirectories.

4. Follow the instructions in the topic "Correct the user selected during Windowsinstallation" in this manual to change the default user for Splunk's serviceaccount. In this instance, the correct user is the MSA you configured prior to

32



installing Splunk Enterprise.

Important: You must append a dollar sign ($) to the end of the username whencompleting Step 4 in order for the MSA to work properly. For example, if the MSAis SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the

appropriate field in the properties dialog for the service. You must do this for boththe splunkd and splunkweb services.

5. Confirm that the MSA has the "Log on as a service" right.

Note: If you use the Services control panel to make the service accountchanges, Windows grants this right to the MSA automatically.

6. Start Splunk Enterprise. It runs as the MSA configured above, and will haveaccess to all data that the MSA has access to.

Use PowerShell to configure your AD domain

You can also use PowerShell to configure your Active Directory environment forSplunk Enterprise services.

To do so, first open a PowerShell prompt (as Administrator). Then, complete thefollowing steps:

Create the Splunk user account

1. Import the ActiveDirectory PowerShell module, if needed:

> Import-Module ActiveDirectory

2. Enter the following to create a new user:

> New-ADUser ?Name <user> `

-SamAccountName <user> `

-Description ?Splunk Service Account? `

-DisplayName ?Service:Splunk? `

-Path ?<organizational unit LDAP path>? `

-AccountPassword (Read-Host ?AsSecureString ?Account Password?) `

-CannotChangePassword $true `

-ChangePasswordAtLogon $false `

-PasswordNeverExpires $true `

-PasswordNotRequired $false `

-SmartcardLogonRequired $false `

-Enabled $true `

-LogonWorkstations ?<server>? `

33



In this example:

The command creates an account whose password cannot be changed, isnot forced to change after first logon, and does not expire.

•

<user> is the name of the user you want to create.•

<organizational unit LDAP path> is the name of the OU in which to put thenew user, specified in X.500 format, for example: CN=Managed ServiceAccounts,DC=splk,DC=com.

•

<server> is a single server or comma-separated list which specifies theserver(s) that the account can log in from.

•

Note: The LogonWorkstations argument is not required, but allows you to limitwhich workstations a managed service account can log into the domain from.

Configure the Splunk Enterprise server

Once you have configured a user account, use PowerShell to configure theserver with the correct permissions for the account to run Splunk Enterprise.

Caution: This is an advanced procedure. Only perform these steps if you feelcomfortable doing so and understand the ramifications of using them, includingproblems that can occur due to typos and improperly-formatted files.

In the following examples:

<user> is the name of the user you created that will run Splunk Enterprise.•

<domain> is the domain in which the user resides.•

<computer> is the remote computer you want to connect to in order tomake changes.

•

To configure local security policy from PowerShell:

1. Connect to the server that you wish to configure.

If using the local server, simply log in and open a PowerShell prompt, ifyou have not already.

•

If connecting to a remote server, create a new PSSession on the remote

host as shown below.

•

You might need to disable Windows Firewall before you can make theremote connection. To do so, read "Need to Disable Windows Firewall"(http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx) onMS TechNet (for versions of Windows Server up to Server 2008 R2, and"Firewall with Advanced Security Administration with Windows

•

34



PowerShell" (http://technet.microsoft.com/en-us/library/hh831755.aspx),also on MS TechNet.

> Enter-PSSession -Computername <computer>

2. Add the service account to the local Administrators group:

> $group = [ADSI]?WinNT://<server>/Administrators,group?

> $group.Add(?WinNT://<domain>/<user>?)

3. Create a backup file that contains the current state of user rights settings onthe local machine:

> secedit /export /areas USER_RIGHTS /cfg OldUserRights.inf

4. Use the backup to create a new user rights information file that assigns theSplunk Enterprise user elevated rights when imported:

> Get-Content OldUserRights.inf `

| Select-String ?Pattern `

?(SeTcbPrivilege|SeChangeNotify|SeBatchLogon|SeServiceLogon|SeAssignPrimaryToken|

`

| %{ ?$_,<domain>\<user>? }

| Out-File NewUserRights.inf

5. Create a header for the new policy information file and concatenate the headerand the new information file together:

> ( ?[Unicode]?, ?Unicode=yes? ) | Out-File Header.inf> ( ?[Version]?, ?signature=`?`$CHICAGO`$`??, ?Revision=1?) | Out-File

?Append Header.inf

> ( ?[Privilege Rights]? ) | Out-File ?Append Header.inf

> Get-Content NewUserRights.inf | Out-File ?Append Header.inf

6. Review the policy information file to ensure that the header was properlywritten, and that the file has no syntax errors in it.

7. Import the file into the computer's local security policy database:

> secedit /import /cfg Header.inf /db C:\splunk-lsp.sdb

> secedit /configure /db C:\splunk-lsp.sdb

Prepare a local machine or non-AD network for SplunkEnterprise installation

If you are not using Active Directory, follow these instructions to give

35



administrative access to the user you want Splunk to run as on the computersyou want to install Splunk Enterprise on.

1. Give the user Splunk Enterprise should run as administrator rights by adding

the user to the local Administrators group.

2. Start Local Security Policy by selecting Start > Administrative Tools > LocalSecurity Policy.

Local Security Policy launches and displays the local security settings.

3. In the left pane, expand Local Policies and then click User RightsAssignment.

a. In the right pane, double-click on the Act as part of the operating

system entry.

b. Click Add User or Group?

c. In the dialog that opens, click Browse?

d. In the Select Users, Computers, Service Accounts, or Groupsdialog that opens, type in the name of the "Splunk Computers" group youcreated earlier, then click Check Names...


e. Click OK to close the "Select Users?" dialog.

f. Click OK again to close the "Add User or Group" dialog.

g. Click OK again to close the rights properties dialog.

4. Repeat Steps 3a-3g for the following additional rights:

Bypass traverse checking•

Log on as a batch job•

Log on as a service•

Replace a process-level token•

36



Once you have completed these steps, you can then install Splunk as thedesired user.

Install on Windows

Important

New for Splunk Enterprise version 6.2, the installation procedure has changedsignificantly. Read "Installation Options" in this topic before proceeding.

This topic describes the procedure for installing Splunk Enterprise on Windowswith the Graphical User Interface (GUI)-based installer. More options (such assilent installation) are available if you install from the command line.

Caution: You can no longer install or run the 32-bit version of Splunk Enterprise

for Windows on a 64-bit Windows system. You also cannot install SplunkEnterprise on a machine that runs an unsupported OS (for example, on amachine that runs Windows Server 2003.) See "System requirements."

If you attempt to run the installer in such a way, it warns you and prevents theinstallation.

Note: If you want to install the Splunk universal forwarder, see the ForwardingData manual: "Universal forwarder deployment overview". Unlike SplunkEnterprise heavy and light forwarders, which are full Splunk Enterpriseinstances with some features changed or disabled, the universal forwarder is an

entirely separate executable, with its own set of installation procedures. For anintroduction to forwarders, see "About forwarding and receiving", also in theForwarding Data Manual.

Upgrading?

If you plan to upgrade Splunk Enterprise, review "How to upgrade Splunk" forinstructions and migration considerations before proceeding.

Note that Splunk Enterprise does not support changing the management or

HTTP ports during an upgrade.

Before you install

37



Choose the Windows user Splunk should run as

Before installing, be sure to read "Choose the Windows user Splunk should runas" to determine which user account Splunk should run as to address yourspecific needs. The user you choose has specific ramifications on what you need

to do prior to installing the software, and more details can be found there.

Splunk Enterprise for Windows and anti-virus software

The Splunk Enterprise indexing subsystem requires lots of disk throughput. Anysoftware with a device driver that intermediates between Splunk Enterprise andthe operating system can rob Splunk Enterprise of processing power, causingslowness and even an unresponsive system. This includes anti-virus software.

It's extremely important to configure such software to avoid on-access scanningof Splunk Enterprise installation directories and processes, before starting a

Splunk installation.

Install Splunk Enterprise via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The installer runs and displays the Splunk Enterprise Installer panel.

2. To continue the installation, check the "Check this box to accept the LicenseAgreement" checkbox. This activates the "Customize Installation" and "Install"buttons.

Note: If you want to view the license agreement, click on the "View LicenseAgreement" button.

38



Installation Options

New for Splunk Enterprise 6.2, the Windows installer gives you two choices:Install with the default installation settings, or configure all settings prior toinstalling.

The installer does the following by default:

Installs Splunk Enterprise in \Program Files\Splunk on the system drive(the drive that booted your Windows system.)

•

Installs Splunk Enterprise with the default management and Web ports.•

Configures Splunk Enterprise to run as the Local System user. Read"Choose the user Splunk Enterprise should run as" in this manual tounderstand the ramifications.

•

Creates a Start Menu shortcut for the software.•

3a. If you want to change any of these default installation settings, click the"Customize Options" button and proceed with the instructions in "CustomizeOptions" in this topic.

3b. Otherwise, click the "Install" button to install the software with the defaults.Then, continue with Step 8.

Customize Options

Note: On each panel, you can click Next to continue, Back to go back a step, or

Cancel to cancel the installation and quit the installer.

The installer displays the "Install Splunk Enterprise to" panel.

Note: By default, the installer puts Splunk Enterprise into \Program Files\Splunk

on the system drive. This documentation set refers to the Splunk Enterpriseinstallation directory as $SPLUNK_HOME or %SPLUNK_HOME%.

39



4. Click "Change?" to specify a different location to install Splunk Enterprise, orclick "Next" to accept the default value.

The installer displays the "Choose the user Splunk Enterprise should run as"panel.

Splunk Enterprise installs and runs two Windows services, splunkd andsplunkweb. New for version 6.2, the splunkd service handles all Splunk

Enterprise operations, and the splunkweb service installs to run only in legacymode.

These services install and run as the user you specify on this panel. You canchoose to run Splunk Enterprise as the Local System user, or another user.

Important: If you choose to run Splunk Enterprise as another user, that usermust:

Be a member of an Active Directory domain (you cannot install SplunkEnterprise as a local machine account other than the Local Systemaccount)

•

Have local administrator privileges on the machine which you areperforming the installation, and

•

Have specific user rights, and other additional permissions, depending onthe kinds of data you want to collect from remote machines.

•

See "Choose the Windows user Splunk Enterprise should run as" for additionalinformation on these permissions and rights requirements.

If you have not read the above linked topic beforehand, then stop the

installation now and read that topic first.

5. Select a user type and click Next.

If you selected the Local System user, proceed to Step 7. Otherwise, the installerdisplays the Logon Information: specify a username and password panel.

40



6. Specify a username and password to install and run Splunk Enterprise andclick Next.

Important: You must specify the user name in domain\username format. Failureto include the domain name when specifying the user will cause the installation tofail. This must be a valid user in your security context, and must be an activemember of an Active Directory domain. Splunk Enterprise must run under eitherthe Local System account or a valid user account with a valid password and local

administrator privileges.

The installer displays the installation summary panel.

7. Click "Install" to proceed.

The installer runs and displays the Installation Complete panel.

Caution: If you specified the wrong user during the installation procedure, youwill see two pop-up error windows explaining this. If this occurs, SplunkEnterprise installs itself as the Local System user by default. Splunk Enterprisedoes not start automatically in this situation. You can proceed through the final

41



panel of the installation, but uncheck the "Launch browser with Splunk" checkboxto prevent your browser from launching. Then, use these instructions to switch tothe correct user before starting Splunk.

8. If desired, check the boxes to Launch browser with Splunk and Create Start

Menu Shortcut now. Click Finish.

The installation completes, Splunk Enterprise starts and launches in a supportedbrowser if you checked the appropriate box.

Note: The first time you access Splunk Web after installation, login with thedefault username admin and password changeme. Do not use the username andpassword you provided during the installation process.

Launch Splunk in a Web browser

To access Splunk Enterprise after you start it on your machine, you can either:

Click the Splunk icon in Start > Programs > Splunk•

or

Open a Web browser and navigate to http://localhost:8000.•

Log in using the default credentials: username: admin and password: changeme.

The first time you log into Splunk Enterprise successfully, it prompts you rightaway to change your password. You can do so by entering a new password andclicking the Change password button, or you can do it later by clicking the Skipbutton.

Note: If you do not change your password, remember that anyone who hasaccess to the machine and knows the default password can access your Splunkinstance. Be sure to change the admin password as soon as possible and makea note of what you changed it to.

Avoid Internet Explorer Enhanced Security pop-ups

If you're using Internet Explorer to access Splunk Web, add the following URLs tothe allowed Intranet group or fully trusted group to avoid getting "EnhancedSecurity" pop-ups:

quickdraw.splunk.com•

42



the URL of your Splunk Enterprise instance•

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port,

you can change the defaults.

To change the Splunk Web service port:

Open a command prompt.•

Change to the %SPLUNK_HOME%\bin directory.•

Type in splunk set web-port #### and press Enter.•

To change the splunkd port:

Open a command prompt, if one isn't already.•

Change to the %SPLUNK_HOME%\bin directory.•

Type in splunk set splunkd-port #### and press Enter.•

Note: If you specify a port and that port is not available, or if the default port isunavailable, Splunk will automatically select the next available port.

Install or upgrade license

If you are performing a new installation of Splunk Enterprise or switching fromone license type to another, you must install or update your license.

What's next?

Now that you've installed Splunk Enterprise, you can find out what comes next,or you can review these topics in the Getting Data In Manual for information onadding Windows data:

Monitor Windows Event Log data•

Monitor Windows Registry data•

Monitor WMI-based data•

Considerations for deciding how to monitor remote Windows data.•

43



Install on Windows via the command line

This topic describes the procedure for installing Splunk Enterprise on Windowsfrom the command line.

Important: If you want to install the Splunk universal forwarder, see theForwarding Data manual: "Universal forwarder deployment overview". UnlikeSplunk Enterprise heavy and light forwarders, which are full Splunk instanceswith some features changed or disabled, the universal forwarder is an entirelyseparate executable, with its own set of installation procedures. For anintroduction to forwarders, see "About forwarding and receiving", also in theForwarding Data Manual.

We strongly recommend that you run 64-bit Splunk Enterprise on 64-bithardware. The performance is greatly improved over the 32-bit version. If you run

the 32-bit installer on a 64-bit system, the installer will give you a warning.

When to install from the command line?

You can manually install Splunk Enterprise on individual machines from acommand prompt or PowerShell window. Here are some scenarios whereinstalling from the command line is useful:

You want to install Splunk Enterprise, but don't want it to start right away.•

You want to automate installation of Splunk with a script.•

You want to install Splunk Enterprise on a system that you will clone later.•

You want to use a deployment tool such as Group Policy or SystemCenter Configuration Manager.

•

You want to install Splunk Enterprise on a system that runs a version ofWindows Server Core.

•

Install using PowerShell

You can install Splunk Enterprise from a PowerShell window. The steps requiredto do so are identical to those required to install from a command prompt.

Upgrading?

If you plan to upgrade Splunk Enterprise, review "How to upgrade Splunk" forinstructions and migration considerations before proceeding.

44



In particular, be aware that Splunk does not support changing the managementor HTTP ports during an upgrade.

Before you install

Choose the Windows user Splunk Enterprise should run as

Before installing, read "Choose the Windows user Splunk Enterprise should runas" to determine which user account Splunk should run as to address yourspecific data collection needs. The user you choose has specific ramifications onwhat you need to do prior to installing the software, and more details can befound there.

Prepare your domain for a Splunk Enterprise installation as a domain user

Also before installing, read "Prepare your Windows network for a SplunkEnterprise installation as a network or domain user" for specific instructions onhow to configure your domain to run Splunk Enterprise.

Splunk Enterprise for Windows and anti-virus software

The Splunk Enterprise indexing subsystem requires a lot of disk throughput.Anti-virus software - or any software with a device driver that intermediatesbetween Splunk Enterprise and the operating system - can significantly decreaseprocessing power, causing slowness and even an unresponsive system.

It is extremely important to configure such software to avoid on-access scanningof Splunk Enterprise installation directories and processes, before starting aninstallation.

Install Splunk Enterprise from the command line

You install Splunk Enterprise from the command line by invoking msiexec.exe.You perform the same procedure if you run PowerShell.

For 32-bit platforms, use splunk-<...>-x86-release.msi:

msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]

For 64-bit platforms, use splunk-<...>-x64-release.msi:

45



msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]

The value of <...> varies according to the particular release; for example,splunk-5.0-125454-x64-release.msi.

Command line flags allow you to configure Splunk Enterprise at installation time.Using command line flags, you can specify a number of settings, including butnot limited to:

Which Windows event logs to index.•

Which Windows Registry hive(s) to monitor.•

Which Windows Management Instrumentation (WMI) data to collect.•

The user Splunk Enterprise runs as (Important: Read "Choose theWindows user Splunk Enterprise should run as" for information on whattype of user you should install your Splunk instance with.)

•

An included application configuration for Splunk to enable (such as theSplunk light forwarder.)

•

Whether or not Splunk should start automatically when the installation iscompleted.

•

Note: The first time you access Splunk Web after installation, log in with thedefault username admin and password changeme.

Supported flags

The following is a list of the flags you can use when installing Splunk forWindows via the command line.

Important: The Splunk universal forwarder is a separate executable, with its owninstallation flags. Review the supported installation flags for the universalforwarder in "Deploy a Windows universal forwarder from the command line" inthe Forwarding Data manual.

Flag What it's for Defau

AGREETOLICENSE=Yes|No

Use this flag to agree to the EULA. This

flag must be set toYes

for a silentinstallation.

No

INSTALLDIR="<directory_path>" Use this flag to specify directory toinstall. Splunk's installation directory isreferred to as $SPLUNK_HOME or%SPLUNK_HOME% throughout this

C:\Progr

Files\Sp

46



documentation set.

SPLUNKD_PORT=<port number>

Use these flags to specify alternateports for splunkd and splunkweb to use.

Note: If you specify a port and that portis not available, Splunk willautomatically select the next availableport.

8089

WEB_PORT=<port number>

Use these flags to specify alternateports for splunkd and splunkweb to use.

Note: If you specify a port and that portis not available, Splunk willautomatically select the next availableport.

8000

WINEVENTLOG_APP_ENABLE=1/0

WINEVENTLOG_SEC_ENABLE=1/0

WINEVENTLOG_SYS_ENABLE=1/0

WINEVENTLOG_FWD_ENABLE=1/0

WINEVENTLOG_SET_ENABLE=1/0

Use these flags to specify whether ornot Splunk should index a particularWindows event log:

Application log

Security log

System log

Forwarder log

Setup log

Note: You can specify multiple flags.

0 (off)

REGISTRYCHECK_U=1/0

REGISTRYCHECK_BASELINE_U=1/0

Use this flag to specify whether or notSplunk should

index events from

capture a baseline snapshot of

the Windows Registry user hive(HKEY_CURRENT_USER).

0 (off)

47



Note: You can set both of these at thesame time.

REGISTRYCHECK_LM=1/0

REGISTRYCHECK_BASELINE_LM=1/0

Use this flag to specify whether or notSplunk should

index events from

capture a baseline snapshot of

the Windows Registry machine hive(HKEY_LOCAL_MACHINE).

Note: You can set both of these at thesame time.

0 (off)

WMICHECK_CPUTIME=1/0

WMICHECK_LOCALDISK=1/0

WMICHECK_FREEDISK=1/0

WMICHECK_MEMORY=1/0

Use these flags to specify whichpopular WMI-based performancemetrics Splunk should index:

CPU usage

Local disk usage

Free disk space

Memory statistics

Caution: If you need this instance ofSplunk to monitor remote Windowsdata, then you must also specify theLOGON_USERNAME and LOGON_PASSWORD

installation flags. Splunk can not collectany remote data that it does not haveexplicit access to. Additionally, the useryou specify requires specific rights,administrative privileges, and additionalpermissions, which you must configure

before installation. Read "Choose theWindows user Splunk should run as" inthis manual for additional informationabout the required credentials.

0 (off)

48



There are many more WMI-basedmetrics that Splunk can index. Review"Monitor WMI Data" in the Getting DataIn Manual for specific information.

LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Use these flags to providedomain\username and passwordinformation for the user that Splunk willrun as. The splunkd and splunkweb

services are configured with thesecredentials. For the LOGON_USERNAME

flag, you must specify the domain withthe username in the format"domain\username."

These flags are required if you want

this Splunk Enterprise installation tomonitor any remote data. Review"Choose the Windows user Splunkshould run as" in this manual foradditional information about whichcredentials to use.

none

SPLUNK_APP="<SplunkApp>" Use this flag to specify an includedSplunk application configuration toenable for this installation of Splunk.Currently supported options for

<SplunkApp> are:SplunkLightForwarder andSplunkForwarder. These specify thatthis instance of Splunk will function as alight forwarder or heavy forwarder,respectively. Refer to the "Aboutforwarding and receiving" topic in theForwarding Data manual for moreinformation.

Important: The full version of Splunk

does not enable the universalforwarder. The universal forwarder is aseparate downloadable executable,with its own installation flags.

none

49



Note: If you specify either the Splunkforwarder or light forwarder here, youmust also specifyFORWARD_SERVER="<server:port>".

To install Splunk Enterprise with noapplications at all, simply omit this flag.

FORWARD_SERVER="<server:port>"

Use this flag *only* when you are alsousing the SPLUNK_APP flag to enableeither the Splunk heavy or lightforwarder. Specify the server and portof the Splunk server to which thisforwarder will send data.

Important: This flag requires that the

SPLUNK_APP flag also be set.

none

DEPLOYMENT_SERVER="<host:port>"

Use this flag to specify a deploymentserver for pushing configurationupdates. Enter the deployment server'sname (hostname or IP address) andport.

none

LAUNCHSPLUNK=0/1

Use this flag to specify whether or notSplunk should start up automatically onsystem boot.

Important: If you enable the SplunkForwarder by using the SPLUNK_APP flag,the installer configures Splunk to startautomatically, and ignores this flag.

1 (on)

INSTALL_SHORTCUT=0/1

Use this flag to specify whether or notthe installer should create a shortcut toSplunk on the desktop and in the StartMenu.

1 (on)

Silent installation

To run the installation silently, add /quiet to the end of your installationcommand string. If your system has User Access Control enabled (the default onsome systems), you must run the installation as Administrator. To do this:

When opening a command prompt, right click and select "Run AsAdministrator".

•

50



Use this command window to run the silent install command.•

Note: This also works when using PowerShell as your command line interface.

Examples

The following are some examples of using different flags.

Silently install Splunk Enterprise to run as the Local System user

msiexec.exe /i Splunk.msi /quiet

Enable the Splunk heavy forwarder and specify credentials for the user Splunk Enterprise will run as

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk"

LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, enable indexing of the Windows System event log, and run the installer in silent mode

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder"

FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet

Where "<server:port>" are the server and port of the Splunk server to which

this machine should send data.

What's next?

Now that you've installed Splunk Enterprise, what comes next?

You can also review this topic about considerations for deciding how to monitorWindows data in the Getting Data In manual.

Correct the user selected during Windowsinstallation

If you have selected "other user" during the Splunk Enterprise installation, andthat user does not exist or perhaps you mistyped the information, you can go intothe Windows Service Control Manager and specify the correct information, as

51



long as you have not started Splunk yet. If you have started Splunk, you muststop it, uninstall it and reinstall it.

If you specified an invalid user during the Windows GUI installation process, youwill see two popup error windows.

To change the user:

1. In Control Panel > Administrative Tools > Services, find the splunkd andsplunkweb services. You'll notice that they are not started and are currentlyowned by the Local System User.

2. Right click on each service and choose Properties. The properties dialog forthat service is displayed.

3. Select the Log On tab.

4. Select the This account radio button and fill in the correct domain\usernameand password.

5. Click Apply.

6. Click OK.

7. If you run Splunk Enterprise in legacy mode, repeat Steps 2 through 6 for thesecond service (you must do this for both splunkd and splunkweb).

Note: Do not run Splunk Enterprise in legacy mode permanently. See "Start andstop Splunk Enterprise" for info on legacy mode.

8. You can now either start either (or both) service(s) from the Service Manageror from the Splunk command line interface.

52



Install Splunk Enterprise on Unix, Linux or

Mac OS X

Install on Linux

You can install Splunk Enterprise on Linux using RPM or DEB packages, or a tarfile.

Note: If you want to install the Splunk universal forwarder, see the ForwardingData manual: "Universal forwarder deployment overview". Unlike Splunk heavyand light forwarders, which are full Splunk Enterprise instances with somefeatures changed or disabled, the universal forwarder is an entirely separateexecutable, with its own set of installation procedures. For an introduction to

forwarders, see "About forwarding and receiving".

Upgrading?

If you are upgrading, review "How to upgrade Splunk" for instructions andmigration considerations before proceeding.

Tar file install

To install Splunk Enterprise on a Linux system, expand the tar file into an

appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To installinto /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

Note: When you install Splunk Enterprise with a tar file:

Some non-GNU versions of tar might not have the -C argument available.In this case, if you want to install in /opt/splunk, either cd to /opt or placethe tar file in /opt before running the tar command. This method will workfor any accessible directory on your machine's filesystem.

•

53



Splunk does not create the splunk user automatically. If you want Splunkto run as a specific user, you must create the user manually beforeinstalling.

•

Ensure that the disk partition has enough space to hold the uncompressedvolume of the data you plan to keep indexed.

•

RedHat RPM install

Ensure that the desired splunk build rpm package is available locally on thetarget server. Verify that the file is readable and executable by the the Splunkuser. If needed change access:

chmod 744 splunk_package_name.rpm

To install the Splunk RPM in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

Note: Installing with rpm in a non-default directory is not recommended, as RPMoffers no safety net at time of upgrade, if --prefix does not agree then the

upgrade will go awry.

To upgrade an existing Splunk Enterprise installation that resides in /opt/splunkusing the RPM:

rpm -U splunk_package_name.rpm

Note: Upgrading rpms is upgrading the rpm package, not upgrading SplunkEnterprise. In other words, rpm upgrades can only be done when using the rpmin the past. There is no smooth transition from tar installs to rpm installs. This is

not a Splunk issue, but a fundamental packaging issue.

To upgrade an existing Splunk Enterprise installation that was done in a differentdirectory, use the --prefix flag:

54



rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm willinstall in the default location of /opt/splunk.

For example, to upgrade to the existing directory of$SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

To Replace an existing Splunk Enterprise installation

rpm -i --replacepkgs --prefix=/splunkdirectory/ splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to yourkickstart file:

./splunk start --accept-license

./splunk enable boot-start

Note: The second line is optional for the kickstart file.

Enable Splunk Enterprise to start the system at boot by adding it to /etc/init.d/ Run this command as root or sudo and specify the user that Splunk Enterprise

should run as.

./splunk enable boot-start -user splunkuser

Debian DEB install

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location,/opt/splunk.

55



What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as anon-root user, make sure that it has the appropriate permissions to read the

inputs that you specify. Refer to the instructions for running Splunk Enterprise asa non-root user for more information.

To start Splunk Enterprise from the command line interface, run the followingcommand from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is thedirectory into which you installed Splunk):

./splunk start

By convention, this document uses:

$SPLUNK_HOME to identify the path to your Splunk Enterprise installation.•

$SPLUNK_HOME/bin/ to indicate the location of the command line interface.•

Startup options

The first time you start Splunk Enterprise after a new installation, you mustaccept the license agreement. To start Splunk Enterprise and accept the licensein one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

56



Launch Splunk Web and log in

After you start Splunk Enterprise and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

hostname is the host machine.•

port is the port you specified during the installation (the default port is8000).

•

""Note:"" Navigate to HTTP the first time you access Splunk.

2. Splunk Web prompts you for login information (default, username admin andpassword changeme) before it launches. If you switch to Splunk Free, you willbypass this logon page in future sessions.

What's next?


Uninstall Splunk Enterprise

To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" inthis manual.

Install on Solaris

You can install Splunk Enterprise on Solaris with a PKG packages, or a tar file.

Upgrading?

If you are upgrading, review "How to upgrade Splunk" for instructions andmigration considerations before proceeding.

Install Splunk

Splunk Enterprise for Solaris is available as a PKG file or a tar file.

57



PKG file install

The PKG installation package includes a request file that prompts you to answera few questions before Splunk installs.

pkgadd -d ./splunk_product_name.pkg

A list of the available packages is displayed.

Select the packages you wish to process (the default is "all").•

The installer then prompts you to specify a base installation directory.

To install into the default directory, /opt/splunk, leave this blank.•

PKG file upgrade

To upgrade an existing Splunk Enterprise installation using a PKG file, youshould use the instance parameter, either in the system's default packageinstallation configuration file (/var/sadm/install/admin/default) or in a customconfiguration file that you define and call.

In the default or custom configuration file, set instance=overwrite. This willprevent the upgrade from creating a second splunk package (withinstance=unique), or failing (with instance=quit). For information about theinstance parameter, see the Solaris man page (man -s4 admin).

To upgrade Splunk Enterprise using the system's default package installation file,use the same command line as you would for a fresh install.

pkgadd -d ./splunk_product_name.pkg

The installer prompts you to overwrite any changed files, answer yes to everyone.

To upgrade using a custom configuration file, type:

pkgadd -a conf_file -d ./splunk_product_name.pkg

To run the upgrade silently (and not have to answer yes for every file overwrite),type:

58



pkgadd -n -d ./splunk_product_name.pkg

tar file install

To install Splunk Enterprise on a Solaris system, expand the tar file into anappropriate directory using the tar command:

tar xvzf splunk_package_name.tar.Z


tar xvzf splunk_package_name.tar.Z -C /opt



•

If the gzip binary is not present on your system, you can use theuncompress command instead.

•

Splunk Enterprise does not create the splunk user automatically. If youwant it to run as a specific user, you must create the user manually before

installing.

•


•

What gets installed

Splunk package info:

pkginfo -l splunk

List all packages:

pkginfo

59



Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as anon-root user, make sure that it has the appropriate permissions to read theinputs that you specify. For more information, refer to the instructions on running

Splunk as a non-root user.


./splunk start

By convention, the Splunk documentation uses:

$SPLUNK_HOME to identify the path to your Splunk installation.•


Startup options






1. In a browser window, access Splunk Web at http://mysplunkhost:port, where:

mysplunkhost is the host machine.•

port is the port you specified during the installation (8000).•


60



What's next?




Install on Mac OS X

You can install Splunk Enterprise on Mac OS X using a DMG package, or a tarfile.

Upgrading?

If you are upgrading, review "How to upgrade Splunk Enterprise" for instructionsand migration considerations before proceeding.

Installation options

The Mac OS build comes in two forms: a DMG package and a tar file. Below areinstructions for the:

Graphical (basic) and command line installs using the DMG file.•

tar file install.•

Note: if you require two installations in different locations on the same host, usethe tar file. The pkg installer cannot install a second instance. If one exists, it willremove it upon successful install of the second.

Graphical install

1. Double-click on the DMG file.

A Finder window containing splunk.pkg opens.

2. In the Finder window, double-click on splunk.pkg.

The Splunk Enterprise installer opens and displays the Introduction, which listsversion and copyright information.

61



3. Click Continue.

The Select a Destination window opens.

4. Choose a location to install Splunk Enterprise.

To install in the default directory, /Applications/splunk, click on theharddrive icon.

•

To select a different location, click Choose Folder...•

5. Click Continue.

The pre-installation summary displays. If you need to make changes,

Click Change Install Location to choose a new folder, or•

Click Back to go back a step.•

6. Click Install.

Your installation will begin. It might take a few minutes.

7. When your install completes, click Finish. The installer places a shortcut onthe Desktop.

Command line install

Use the following instructions to install from a Terminal window.

Important: To install Splunk Enterprise on Mac OS X from the commandline, you must use the root user, or elevate privileges using the sudo

command. If you use sudo, your account must be an Admin-level account.

1. To mount the dmg:

sudo hdid splunk_package_name.dmg

The Finder mounts the disk image onto the desktop. The image is available

under /Volumes/SplunkForwarder <version> (note the space).

2. To Install

To the root volume:•

62



cd /Volumes/SplunkForwarder\ <version>

sudo installer -pkg .payload/splunk.pkg -target /

Note: There is a space in the disk image's name. Use a backslash to escape thespace or wrap the disk image name in quotes.

To a different disk of partition:•

cd /Volumes/SplunkForwarder\ <version>

sudo installer -pkg .payload/splunk.pkg -target /Volumes\ Disk

Note: There is a space in the disk image's name. Use a backslash to escape thespace or wrap the disk image name in quotes.

-target specifies a target volume, such as another disk, where Splunk will be

installed in /Applications/splunk.

To install into a directory other than /Applications/splunk on any volume, usethe graphical installer as described above.

tar file install

To install Splunk Enterprise on Mac OS X, expand the tar file into an appropriatedirectory using the tar command:


The default install directory is splunk in the current working directory. To installinto /Applications/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /Applications


Splunk Enterprise does not create the splunk user automatically. If youwant it to run as a specific user, you must create the user manually beforeinstalling.

•


•

63



Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as anon-root user, make sure that it has the appropriate permissions to read theinputs that you specify.

Start Splunk Enterprise from the Finder

To start Splunk Enterprise from the Finder, double-click the Splunk icon on theDesktop to launch the helper application, entitled "Splunk's Little Helper".

Note: The first time you run the helper application, it notifies you that it needs toperform a brief initialization. Click OK to allow Splunk Enterprise to initialize andset up the trial license.

Once the helper application loads, it displays a dialog that offers several choices:

Start and Show Splunk: This option starts Splunk Enterprise and directsyour web browser to open a page to Splunk Web.

•

Only Start Splunk: This choice starts Splunk Enterprise, but does notopen Splunk Web in a browser.

•

Cancel: Tells the helper application to quit. This does not affect theSplunk Enterprise instance itself, only the helper application.

•

Once you make your choice, the Splunk helper application performs therequested application and terminates. You can run the helper application again to

either show Splunk Web or stop Splunk.

The helper application can also be used to stop Splunk if it is already running.

Start Splunk Enterprise from the command line

To start Splunk Enterprise from the command line interface, run the followingcommand from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is thedirectory into which you installed Splunk Enterprise):

./splunk start




64



Startup options






1. In a browser window, access Splunk Web at http://<hostname>:port



•


What's next?




Install on FreeBSD

Splunk Enterprise for FreeBSD comes in two forms: an installer (5.4-intel) and atar file (i386). Both are gzipped tar (.tgz) files.

65



Upgrading?


Prerequisites

For FreeBSD 8, Splunk Enterprise requires compatibility packages. To install thecompatibility package:

1. Install the port:

portsnap fetch update

cd /usr/ports/misc/compat7x/ && make install clean

2. Add the package:

pkg_add -r compat7x-amd64

Basic install

To install Splunk Enterprise for FreeBSD using the intel installer:

pkg_add splunk_package_name-6.1-intel.tgz

Important: This installs Splunk Enterprise in the default directory, /opt/splunk. If/opt does not exist, you will need to create it prior to running the installcommand. If you don't, you might receive an error message. Splunk recommendsthat you create a symbolic link to another filesystem and install Splunk there,because FreeBSD best practices maintain a small root ("/") filesystem.

To install Splunk Enterprise in a different directory:

pkg_add -v -p /usr/splunk splunk_package_name-6.1-intel.tgz

The FreeBSD package system does not have native upgrade support. There aresome add-on utilities which try to manage it, but this is not explicitly tested. Toupgrade a package on FreeBSD you can either uninstall the prior package, andinstall the new package, or you can upgrade the existing installation using a tarfile install as below.

66



tar file install

To install Splunk Enterprise on a FreeBSD system with a tar file, expand the fileinto an appropriate directory using the tar command:



tar xvzf splunk_package_name.tgz -C /opt



•

Splunk Enterprise does not create the splunk user automatically. If youwant Splunk Enterprise to run as a specific user, you must create the usermanually before installing.

•


•

After you install

To ensure that Splunk Enterprise functions properly on FreeBSD, you must:

1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GB

kern.dfldsiz="2147483648" # 2GB

machdep.hlt_cpus=0

2. Add the following to /etc/sysctl.conf:

vm.max_proc_mmap=2147483647

You must restart FreeBSD for the changes to effect.

If your server has less than 2 GB of memory, reduce the values accordingly.

67



What gets installed

To see the list of Splunk Enterprise packages:

pkg_info -L splunk

To list all packages:

pkg_info

Start Splunk Enterprise

Splunk Enterprise can run as any user on the local system. If you run it as anon-root user, make sure that it has the appropriate permissions to read the

inputs that you specify.

To start Splunk Enterprise from the command line interface, run the followingcommand from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is thedirectory into which you installed Splunk Enterprise):

./splunk start




Startup options




68








•


What's next?




Install on AIX

You can install Splunk Enterprise on AIX using a tar file.

Important: The user Splunk is installed as must have permission to read/dev/random and /dev/urandom or the installation will fail.

Upgrading?


Install Splunk Enterprise

The AIX install comes in tar file form.

When you install with the tar file:

69



Splunk Enterprise does not create the splunk user automatically. If youwant Splunk Enterprise to run as a specific user, you must create the usermanually.

•

Be sure the disk partition has enough space to hold the uncompressedvolume of the data you plan to keep indexed.

•

We recommend you use GNU tar to unpack the tar files, as AIX tar can failto unpack long file names, fail to overwrite files, and other problems. If youmust use the system tar, be sure to check the output for error messages.

•

To install Splunk Enterprise on an AIX system, expand the tar file into anappropriate directory. The default install directory is /opt/splunk.

For AIX 5.3, check to make sure your service packs are up to date. SplunkEnterprise requires the following service level:

$ oslevel -r5300-005


Splunk Enterprise can run as any user on the local system. If you run it as anon-root user, make sure that it has the appropriate permissions to read theinputs that you specify. Refer to the instructions for running Splunk Enterprise asa non-root user for more information.


./splunk start




Note: The AIX version of Splunk does not register itself to auto-start on reboot.However, you can do so by running the following command from the$SPLUNK_HOME/bin directory at a prompt:


70



This command invokes the following system commands to register SplunkEnterprise and Splunk Web in the system's Subsystem Resource Controller:

mkssys -G splunk -s splunkd -p <path to splunkd> -u <splunk user> -a

_internal_exec_splunkd -S -n 2 -f 9

mkssys -G splunk -s splunkweb -p <path to python> -u <splunk user> -a

_internal_exec_splunkweb -S -n 15 -f 9

For additional information on the mkssys command line arguments, read "Mkssyscommand"(http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/don the IBM pSeries and AIX Information Center website.

Startup options




For more information, refer to "Splunk Enterprise startup options" in this manual.






•

2. Splunk Web prompts you for login information (default, username admin and

password changeme) before it launches. If you switch to Splunk Free, you willbypass this logon page in future sessions.

71



./splunk start




Note: The HP-UX version of Splunk Enterprise does not register itself toauto-start on reboot. However, you can register it by running the followingcommand in the $SPLUNK_HOME/bin directory in a shell prompt:


Startup options









•


What's next?


73





Run Splunk Enterprise as a different or non-rootuser

Important: This topic is for non-Windows operating systems only. To learn howto install Splunk Enterprise on Windows using a user, read "Choose the userSplunk Enterprise should run as" in this manual.

You can run Splunk Enterprise as any user on the local system. If you run it as anon-root user, make sure it has the appropriate permissions to:

Read the files and directories it is configured to watch. Some log files anddirectories might require root or superuser access to be indexed.

•

Write to the Splunk Enterprise directory and execute any scriptsconfigured to work with your alerts or scripted input.

•

Bind to the network ports it is listening on. Network ports below 1024 arereserved ports that only the root user can bind to.

•

Note: Because ports below 1024 are reserved for root access only, Splunk canonly listen on port 514 (the default listening port for syslog) if it is running as root.

You can, however, install another utility (such as syslog-ng) to write your syslogdata to a file and have Splunk monitor that file instead.

Instructions

To run Splunk Enterprise as a non-root user, you need to first install SplunkEnterprise as root. Then, before you start Splunk Enterprise for the firsttime, change the ownership of the $SPLUNK_HOME directory to the desired user.The following are instructions to install Splunk Enterprise and run it as a non-rootuser, splunk.

Note: In the following examples, $SPLUNK_HOME represents the path to the SplunkEnterprise installation directory.

1. As the root user, create the user and group, splunk.

For Linux, Solaris, and FreeBSD:

74



useradd splunk

groupadd splunk

For Mac OS:

You can use the System Preferences > Accounts panel to add users andgroups.

2. As the root user, and using one of the packages (not a tar file), run theinstallation.

Important: Do not start Splunk Enterprise yet.

3. As the root user, invoke the chown command to change the ownership of thesplunk directory and everything under it to the desired user.

chown -R splunk:splunk $SPLUNK_HOME

Note: If chown binary on your system does not support changing group ownershipof files, you can use the chgrp command to do so. Refer to the man pages onyour system for additional information.

4. Become the non-root user, either by logging out of the root account andlogging in as that user, or by using the su command to become that user.

5. As the non-root user, start Splunk Enterprise.

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk Enterprise as the splunk user while you arelogged in as a different user, you can use the sudo command:

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

This example command assumes:

If Splunk Enterprise is installed in an alternate location, update the path inthe command accordingly.

•

Your system might not have sudo installed. If this is the case, you can usesu.

•

75



If you are installing using a tar file and want Splunk Enterprise to run as aparticular user (such as splunk), you must create that user manually.

•

The splunk user must have access to /dev/urandom to generate the certsfor the product.

•

Solaris 10 privileges

When installing Splunk Enterprise on Solaris 10 as the splunk user, you must setadditional privileges to start splunkd and bind to reserved ports.

To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk

76



Start using Splunk Enterprise

Start Splunk for the first time

Important security tip

Before you begin using your new Splunk Enterprise upgrade or installation, youshould take a few moments to make sure that Splunk and your data are secure.For more information, read "Hardening Standards" in the Securing SplunkEnterprise manual.

To start Splunk Enterprise:

On Windows

You can start Splunk Enterprise on Windows using either the command line, orthe Windows Services Manager. Using the command line offers more options,described later in this section. In a cmd window, go to C:\Program

Files\Splunk\bin and type:

splunk start

(For Windows users: in subsequent examples and information, replace$SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in thedefault location. You can also add %SPLUNK_HOME% as a system-wide environmentvariable by using the Advanced tab in the System Properties dialog.)

On UNIX

Use the Splunk Enterprise command-line interface (CLI):

$SPLUNK_HOME/bin/splunk start

Splunk Enterprise then displays the license agreement and prompts you toaccept before the startup sequence continues.

On Mac OS X

Splunk Enterprise can run as any user on the local system. If you run SplunkEnterprise as a non-root user, make sure that Splunk has the appropriatepermissions to read the inputs that you specify.

77



Start Splunk Enterprise from the Finder

To start Splunk Enterprise from the Finder, double-click the Splunk icon on theDesktop to launch the helper application, entitled "Splunk's Little Helper".

Note: The first time you run the helper application, it notifies you that it needs toperform a brief initialization. Click OK to allow Splunk to initialize and set up thetrial license.

Once the helper application loads, it displays a dialog that offers several choices:

Start and Show Splunk: This option starts Splunk and directs your webbrowser to open a page to Splunk Web.

•

Only Start Splunk: This choice starts Splunk, but does not open SplunkWeb in a browser.

•

Cancel: Tells the helper application to quit. This does not affect the

Splunk Enterprise instance itself, only the helper application.

•

Once you make your choice, the helper application performs the requestedapplication and terminates. You can run the helper application again to eithershow Splunk Web or stop Splunk Enterprise.

The helper application can also be used to stop Splunk Enterprise if it is alreadyrunning.

Start Splunk Enterprise from the command line

To start Splunk Enterprise from the command line interface, run the followingcommand from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is thedirectory into which you installed Splunk, by default /Applications/splunk):

./splunk start

Other start options

To accept the license automatically when you start Splunk Enterprise for the first

time, add the accept-license option to the start command:


The startup sequence displays:

78



Splunk> All batbelt. No tights.

Checking prerequisites...

Checking http port [8000]: open

Checking mgmt port [8089]: open

Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open

Checking configuration... Done.

Checking critical directories... Done

Checking indexes...

Validated: _audit _blocksignature _internal

_introspection _thefishbucket history main msad msexchange perfmon

sf_food_health sos sos_summary_daily summary windows wineventlog

winevents

Done

Checking filesystem compatibility... Done

Checking conf files for problems...

Done

All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Done

[ OK ]

Waiting for web server at http://127.0.0.1:8000 to be available... Done

If you get stuck, we're here to help.

Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://localhost:8000

Note: If the default ports are already in use (or are otherwise not available),Splunk Enterprise offers to use the next available port. You can either accept thisoption or specify a port to use.

There are two other start options: no-prompt and answer-yes:

If you run $SPLUNK_HOME/bin/splunk start --no-prompt, SplunkEnterprise proceeds with startup until it requires you to answer a question.

Then, it displays the question, why it is quitting, and quits.

•

If you run SPLUNK_HOME/bin/splunk start --answer-yes, SplunkEnterprise proceeds with startup and automatically answers "yes" to allyes/no questions. It displays the question and answer as it continues.

•

If you run start with all three options in one line, for example:

79



$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license

Splunk does not ask you to accept the license.•

Splunk answers yes to any yes/no question.•

Splunk quits when it encounters a non-yes/no question.•

Change where and how Splunk Enterprise starts

To learn how to change system environment variables that control how SplunkEnterprise starts and operates, see "Set or change environment variables" in theAdmin manual.

Launch Splunk Web

Navigate to:

http://mysplunkhost:8000

Use whatever host and port you chose during installation.

The first time you log in to Splunk Enterprise, the default login details are:Username - admin Password - changeme

Splunk Free does not have access controls.

What happens next?

Now that you've got Splunk Enterprise installed on one server, here are somelinks to get you started:

Learn what Splunk Enterprise is, what it does, and how it's different.•

Learn how to add your data to Splunk Enterprise.•

Add and manage users.•

Estimate how much space you will need to store your data.•

Plan your Splunk Enterprise deployment, from gigabytes to terabytes perday.

•

Learn how to search, monitor, report, and more.•

One big way that Splunk Enterprise differs from traditional technologies isthat it classifies and interprets data at search-time. Learn what thismeans and how to use it.

•

80



If you downloaded Splunk Enterprise packaged with an app (for example, Splunk+ WebSphere), go to Splunk Web and select the app in Launcher to go directly tothe app?s setup page. To see more information about the setup and deploymentfor a packaged app, search for the app name on Splunkbase.

Learn about accessibility to Splunk Enterprise

Splunk is dedicated to maintaining and enhancing its accessibility and usabilityfor users of assistive technology (AT), both in accordance with Section 508 of theUnited States Rehabilitation Act of 1973, and in terms of best usability practices.This topic discusses how Splunk addresses accessibility within the product forusers of AT.

Accessibility of Splunk Web and the CLI

The Splunk Enterprise command line interface (CLI) is fully accessible, andincludes a superset of the functions available in Splunk Web. The CLI isdesigned for usability for all users, regardless of accessibility needs, and Splunktherefore recommends the CLI for users of AT (specifically users with low or novision, or mobility restrictions).

Splunk also understands that use of a GUI is occasionally preferred, even fornon-sighted users. As a result, Splunk Web is designed with the followingaccessibility features:

Form fields and dialog boxes have on-screen indication of focus, assupported by the Web browser.

•

No additional on-screen focus is implemented for links, buttons or otherelements that do not have browser-implemented visual focus.

•

Form fields are consistently and appropriately labeled, and ALT textdescribes functional elements and images.

•

Splunk Web does not override user-defined style sheets.•

Data visualizations in Splunk Web have underlying data available viamouse-over or output as a data table, such that information conveyed withcolor is available without color.

•

Most data tables implemented with HTML use headers and markup toidentify data as needed.•

Data tables presented using Flash visually display headers. Underlyingdata output in comma separated value (CSV) format have appropriateheaders to identify data.

•

81



Accessibility and real-time search

Splunk Web does not include any blinking or flashing components. However,using real-time search causes the page to update. Real-time search is easilydisabled, either at the deployment or user/role level. For greatest ease and

usability, Splunk recommends the use of the CLI with real-time functionalitydisabled for users of AT (specifically screen readers). Refer to "How to restrictusage of real-time search" in the Search Manual for details on disabling real-timesearch.

Keyboard navigation using Firefox and Mac OS X

To enable Tab key navigation in Firefox on Mac OS X, use system preferencesinstead of browser preferences. To enable keyboard navigation:

1. In the menu bar, click [Apple icon]>System Preferences>Keyboard to openthe Keyboard preferences dialog.

2. In the Keyboard preferences dialog, click the Keyboard Shortcuts button atthe top.

3. Near the bottom of the dialog, where it says Full Keyboard Access, click theAll controls radio button.

4. Close the Keyboard preferences dialog.

5. If Firefox is already running, exit and restart the browser.

82



Install a Splunk Enterprise license

About Splunk Enterprise licenses

Splunk Enterprise takes in data from sources you designate and processes it sothat you can analyze it. We call this process indexing. For information about theindexing process, refer to "What Splunk Enterprise does with your data" in theGetting Data In Manual.

Splunk Enterprise licenses specify how much data you can index per day.

For more information about Splunk licenses, begin by reading:

"How Splunk licensing works" in the Admin Manual.•

"Types of Splunk Enterprise licenses" in the Admin Manual.•

"More about Splunk Free" in the Admin Manual.•

Install a license

This topic discusses how to install a new license in Splunk Enterprise. Before youproceed, you might want to review these topics on licensing:

Read "How Splunk licensing works" in the Admin Manual for an

introduction to Splunk licensing.•

Read "Groups, stacks, pools, and other terminology" in the Admin Manualfor more information about Splunk license terms.

•

Add a new license

To add a new license:

1. Navigate to Settings > Licensing.

2. Click Add license.

83



3. Either click Choose file and navigate to your license file and select it, or clickcopy & paste the license XML directly... and paste the text of your license fileinto the provided field.

4. Click Install. Splunk installs your license. If this is the first Enterprise licensethat you are installing, you must restart Splunk.

License violations

Violations occur when you exceed the maximum indexing volume allowed foryour license. If you exceed your licensed daily volume on any one calendar day,you receive a violation warning . The message persists for 14 days. If you have 5or more warnings on an Enterprise license or 3 warnings on a Free licensein a rolling 30-day period, you are in violation of your license and Splunkdisables search. Search capabilities return when you have fewer than 5(Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply atemporary reset license (available for Enterprise only). To obtain a reset license,contact your sales rep.

Note: Summary indexing volume is not counted against your license.

If you get a violation warning, you have until midnight (going by the time on thelicense master) to resolve it before it counts against the total number of warningswithin the rolling 30-day period.

During a license violation period:

Splunk does not stop indexing your data. Splunk only blocks search whileyou exceed your license.

•

Splunk does not disable searches to the _internal index. This means thatyou can still access the Indexing Status dashboard or run searchesagainst _internal to diagnose the licensing problem.

•

Got license violations? Read "About license violations" in the Admin Manual or"Troubleshooting indexed data volume" from the Splunk Community Wiki.

84



More licensing information is available in the "Manage Splunk licenses" chapterin the Admin Manual.

85



Upgrade or migrate Splunk Enterprise

How to upgrade Splunk Enterprise

This topic discusses how to upgrade Splunk Enterprise and its components fromone version to another.

In many cases, you upgrade SplunkEnterprise by installing the latest packageover your existing installation. On Windows systems, the installer packagedetects the version that you have installed and offers to upgrade it for you.

Note: When upgrading Splunk Enterprise, do so with an administrative-level useraccount.

What's new and awesome in 6.2?

Read "Meet Splunk Enterprise 6.2" in the Release Notes for a full list of the newfeatures we've delivered in 6.2.

Review the known issues in the Release Notes for a list of issues andworkarounds in this release.

Back up your existing deployment

Always back up your existing Splunk Enterprise deployment before you performany upgrade or migration.

You can manage your risk by using technology that lets you restore your SplunkEnterprise installation and data to a state prior to the upgrade, whether you useexternal backups, disk or file system snapshots, or other means. When backingup your Splunk Enterprise data, consider the $SPLUNK_HOME directory, as wellas any indexes located outside of it.

For more information about backing up your Splunk Enterprise deployment, see

"Back up configuration information" in the Admin Manual and "Back up indexeddata" in the Managing Indexers and Clusters Manual .

86



Choose the proper upgrade procedure based on yourenvironment

The way that you upgrade Splunk Enterprise differs based on whether you havea single Splunk instance or multiple Splunk instances connected together. Thedifferences are significant if you have configured a cluster of Splunk instances.

Upgrade distributed environments

If you plan to upgrade a distributed Splunk Enterprise environment, includingenvironments that have one or more search head pools, read "Upgrade yourdistributed environment" in the Distributed Deployment Manual.

Upgrade clustered environments

If you plan to upgrade a clustered Splunk Enterprise environment, read "Upgradeyour clustered deployment" in the Managing Indexers and Clusters Manual. Thattopic has upgrade instructions that supersede the instructions in this manual.

Important: All nodes of a clustered Splunk Enterprise environment must run thesame version of Splunk Enterprise. If you plan to upgrade your clusteredenvironment, you must upgrade all nodes (including search heads, masternodes, and peer nodes) in the cluster at the same time.

Then, read about important migration information beforeupgrading

Important: Before upgrading, be sure to read "About upgrading to 6.2: READTHIS FIRST" for specific migration tips and information that might affect you.

Upgrade from 5.0 and later

Splunk Enterprise supports a direct upgrade from versions 5.0 and later toversion 6.2.

Upgrade to 6.2 on Linux, Solaris, FreeBSD, HP-UX, AIX, and MacOS•

Upgrade to 6.2 on Windows•

Upgrade from 4.3 and earlier

Upgrading directly to version 6.2 from version 4.3 and earlier is not officiallysupported.

87



If you run version 4.3, upgrade to version 6.0 first before attempting anupgrade to 6.2.

•

If you run version 4.2, upgrade to version 5.0 first before attempting anupgrade to 6.2.

•

If you run a version earlier than 4.2, upgrade to version 4.3 first, then

upgrade to version 6.0 before attempting an upgrade to 6.2. Read "Aboutupgrading to 4.3 READ THIS FIRST" for specific details on how toupgrade to version 4.3.

•

Upgrade universal forwarders

Upgrading universal forwarders is a different process than upgrading SplunkEnterprise. Before upgrading your universal forwarders, be sure to read theappropriate upgrade topic for your operating system:

Upgrade the Windows universal forwarder•

Upgrade the Unix universal forwarder•

To learn about interoperability and compatibility between indexers and universalforwarders, read "Indexer and universal forwarder compatibility" in theForwarding Data manual.

About upgrading to 6.2 - READ THIS FIRST

This topic contains important information and tips about upgrading to version 6.2from an earlier version. Read it before attempting to upgrade your Splunkenvironment.

Important: Not all Splunk apps and add-ons are compatible with SplunkEnterprise 6.2. If you are considering an upgrade to this release, visit Splunkbaseto confirm that your apps are compatible with Splunk Enterprise 6.2.

Upgrade clustered environments

If you plan to upgrade a Splunk cluster, read "Upgrade your clustered

deployment" in the Managing Indexers and Clusters Manual. The instructions inthat topic supersede the upgrade material in this manual.

Important: All nodes of a clustered Splunk environment must run the sameversion of Splunk Enterprise. If you plan to upgrade your clustered environment,you must upgrade all nodes (including search heads, master nodes, and peer

88



nodes) in the cluster at the same time.

Upgrade paths

Splunk Enterprise supports the following upgrade paths to Version 6.2 of the

software:

From version 5.0 or later to 6.2 on full Splunk Enterprise.•

From version 5.0 or later to 6.2 on Splunk universal forwarders.•

If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attemptingan upgrade to 6.2. Read "About upgrading to 6.0 - READ THIS FIRST" forspecifics.

If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, thenupgrade to 6.2. Read "About upgrading to 5.0 - READ THIS FIRST" for tips onmigrating your instance to version 5.0.

You want to know this stuff

Upgrading to 6.2 from 5.0 and later is trivial, but here are a few things you shouldbe aware of when installing the new version:

The splunkweb service has been incorporated into the splunk d service

The splunkweb service, which handled all Splunk Web operations and sent

requests to the splunkd service, has been disabled. The splunkd service nowhandles all Splunk Enterprise services in normal operation. On Windows, thesplunkweb service installs, but does not run. See "The Splunk Web serviceinstalls but does not run" in the "Windows-specific changes" section of this topic.

If needed, you can configure Splunk Enterprise to run in "legacy mode", wheresplunkweb runs as a separate service. See "Start and stop Splunk Enterprise."

Important: Do not run Splunk Web in legacy mode permanently. Use legacymode to temporarily work around issues introduced by the new integration of theuser interface with the main splunkd service. Once you correct the issues, returnSplunk Web to normal mode as soon as possible.

No migration support for standalone search heads or search-head pooling to search head clustering

89



If you currently run standalone search heads or use search head pooling, there isno migration path to get to search head clustering. To use the new feature youmust remove search head pooling and then configure search head clusteringafter you upgrade.

New installed services open additional network ports

Splunk Enterprise installs and runs two new services: KV Store and App Server.This opens two network ports by default on the local machine: 8191 (for KVStore) and 8065 (for Appserver.) Make sure any firewall you run on the machinedoes not block these ports. The KV Store service also starts an additionalprocess, mongod. If needed, you can disable KV Store by editing server.conf andchanging the dbPath attribute to a valid path on a file system that the SplunkEnterprise instance can reach. See "About the app key value store" in the Adminmanual.

The new App Key Value Store service might increase disk space usage

The App Key Value Store (KV Store) service, which provides a way for you tomaintain the state of your application by storing and retrieving data within it,might cause an increase in disk usage on the instance, depending on how manyapps you run. You can change where the KV Store service puts its data byediting server.conf, and you can restore data used by KV Store with the splunk

clean CLI command. See "About the app key value store" in the Admin manual.

Data block signing has been removed

Data block signing has been removed from Splunk Enterprise version 6.2. Thefeature has been deprecated for some time.

Make sure that the introspection directory has the correct permissions

If you run Splunk Enterprise on Linux as a non-root user, and use an RPM toupgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory asroot. This can cause errors when you attempt to start the instance later. Toprevent this, chown the $SPLUNK_HOME/var/log/introspection directory to theuser that Splunk Enterprise runs as after upgrading and before restarting Splunk

Enterprise.

The Splunk DB Connect app can cause issues with data inputs

Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the"Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a

90



Splunk Enterprise instance with the app installed. To work around the problem,upgrade the app to version 1.1.5 before starting an upgrade.

New default values for some attributes can impact Splunk operations over SSL

There are new defaults which can possibly impact running Splunk Enterpriseover SSL:

The supportSSLv3Only attribute, which controls how Splunk Enterprisehandles SSL clients, now has a default setting of true. This means thatonly clients who can speak the SSL v3 protocol can connect to the SplunkEnterprise instance.

•

The cipherSuite attribute, which controls the encryption protocols thatcan be used during an SSL connection, now has a default setting ofTLSV1+HIGH:@STRENGTH. This means that only clients that possess a

Transport Layer Security (TLS) v1 cipher with a 'high' encryption suite canconnect to a Splunk Enterprise instance.

•

Login page customization is no longer available

Login page customization is no longer available in 6.2. You can only modify theheader and footer of the login page after an upgrade.

Windows-specific changes

New installation and upgrade procedures

The Windows version of Splunk Enterprise now has a more streamlinedinstallation and upgrade workflow. The installer now assumes specific defaults(for new installations) and retains existing settings (for upgrades) by default. Tomake any changes from the default on installations, you must check the"Customize options" button. During upgrades, your only option is to accept thelicense agreement. See "Installation options."

The Splunk Web service installs but does not run

Beginning with Splunk Enterprise v6.2, the splunkd service handles all SplunkWeb operations. However, on Windows instances, the installer still installs thesplunkweb service, although the service quits immediately on launch whenoperating in normal mode. You can configure the service to run in legacy modeby changing a configuration parameter in web.conf. See "Start Splunk Enterpriseon Windows in legacy mode" in the Admin manual.

91



Important: Do not run Splunk Web in legacy mode permanently. Use legacymode to temporarily work around issues introduced by the new integration of theuser interface with the main splunkd service. Once you correct the issues, returnSplunk Web to normal mode as soon as possible.

No support for search head clustering in Windows

The search head clustering feature is only available on Splunk Enterprise runningon *nix hosts at this time. To use search head clustering, you must install *nixinstances of Splunk Enterprise and configure search head clustering on thoseinstances.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with

enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled.If you need to enable FIPS, you must do so on a new installation.

Learn about known upgrade issues

To learn about any additional upgrade issues for Splunk Enterprise, see the"Known Issues - Upgrade Issues" page in the Release Notes.

How Splunk Web procedures have changed fromversion 5 to version 6

This topic lists some of the major differences in how to accomplish tasks usingthe Splunk Web user interface from version 5.x to version 6.2.

What's changed?

Procedure/Task How you used to do it How you do it now

First time login to

Splunk Enterprise

In 5.x, the Splunk

Enterprise launcher hastwo tabs: Welcome andSplunk Home. InWelcome, you can Adddata and Launch search

In 6.2, Splunk Enterprise

launches with Home. Themain parts of Home includethe Splunk Enterprisenavigation bar, the Appspanel, the Explore SplunkEnterprise panel, and a

92



app.

custom default dashboard(not shown here).

Returning to Home

In 5.x, to return toHome/Welcome youselected the Home appfrom the App menu.

In 6.2, you click the Splunklogo in the upper left of thenavigation bar. Doing soalways returns you toHome.

Edit accountinformation

In 5.x you accessed youraccount information

(change full name, emailaddress, default app,timezone, password)under Manager > Usersand authentication >Your account.

In 6.2, you access accountinformation directly from theSplunk navigation underAdministrator > EditAccount.

Logout from SplunkEnterprise

In 5.x, you clicked the"Logout" button on thenavigation bar.

In 6.2, you selectAdministrator > Logout. (Ifyou are not logged in asAdministrator, SplunkEnterprise displays the fullname of the logged in user.Click this name to bring upthe "Logout" menu option)

Manager/Settings In 5.x, you edited allobjects and systemconfigurations from theManager page or fromthe "Administrator" link

In 6.2, you access theseconfigurations directly fromthe Settings menu. There isno separate Manager page.

93



on the navigation bar.

Manage Apps: Editpermissions forinstalled apps, create anew app, or browseSplunk Apps forcommunity apps

In 5.x, you used Manager-> Apps or selected fromthe App menu.

In 6.2, you use the Appsmenu on the navigation baror the gear icon beside theword Apps on the Homepage.

Search

Summary, Search

Searches & Reports

Dashboards & Views

Search

Reports

Dashboards

Extract fields or show

source

In the search results,click on the arrow to theleft of the timestamp ofan event and select

Extract Fields or ShowSource.

In the search results, clickon the arrow to the left ofthe timestamp of an eventand then click EventActions. Select Extract

Fields or Show Source.

Find the list of alerts

In the navigation bar, youselected "Alerts".

In the navigation bar, youselect Activity > TriggeredAlerts.

Find the timeline In 5.x, the timeline wasalways visible as part ofthe dashboard after youran a search. You canhide the timeline.

In 6.2, you can only viewthe timeline if you're lookingat the Events tab after yourun a search.

94



Changes for Splunk App developers

If you develop apps for Splunk Enterprise, read this topic to find out whatchanges we've made to how Splunk Enterprise works with apps in version 6.2,and how to migrate any existing apps to work with the new version.

We have deprecated some elements of Simple XML

We have deprecated a number of the elements of Simple XML, including:

The list element: You can no longer use this element in the panel object.•

Row grouping: Use the panel construct instead. Any row grouping will be

auto-converted to this construct.

•

The searchString, searchTemplate, searchPostProcess,populatingSearch and populatingSavedSearch elements: Use the newsearch element instead.

•

The earliestTime and latestTime elements: Use earliest and latest

instead.•

We have included a new pre-built 'panels' object

This object allows developers to package reusable dashboard panels. It is a newknowledge object in the system, and can be packaged within applications. Seethe Developing Views and Apps for Splunk Web manual.

Upgrade to 6.2 on UNIX

This topic describes the procedure for upgrading your Splunk Enterprise instancefrom version 5.0 or later to 6.2.

Before you upgrade

Make sure you've read this information before proceeding, as well as thefollowing:

95



Back your files up

Before you perform the upgrade, we strongly recommend that you back up all ofyour files, including Splunk Enterprise configurations, indexed data, andbinaries.

Splunk Enterprise does not provide a means of downgrading to previousversions. If you need to revert to an older Splunk release, just reinstall it.

For information on backing up data, read "Back up indexed data" in theManaging Indexers and Clusters Manual .

For information on backing up configurations, read "Back up configurationinformation" in the Admin Manual .

How upgrading works

After performing the installation of the new version, Splunk Enterprise does notactually make changes to your configuration until after you restart it. You can runthe migration preview utility at that time to see what will be changed beforeSplunk updates the files.

If you choose to view the changes before proceeding, the upgrade script writesthe proposed changes to the$SPLUNK_HOME/var/log/splunk/migration.log.<timestamp> file.

Steps for upgrading

1. Execute the $SPLUNK_HOME/bin/splunk stop command.

Important: Make sure no other processes can start Splunk Enterpriseautomatically (such as Solaris SMF).

2. To upgrade and migrate from version 5.0 and later, install the SplunkEnterprise package over your existing deployment:

If you are using a .tar file, expand it into the same directory with the sameownership as your existing Splunk Enterprise instance. This overwritesand replaces matching files but does not remove unique files.

Note: AIX tar will fail to correctly overwrite files when run as a userother than root. Use GNU tar (gtar) to avoid this problem.

•

If you are using a package manager, such as RPM, type rpm -U

splunk_package_name.rpm

•

96



If you are using a .dmg file (on Mac OS X), double-click it and follow theinstructions. Be sure to specify the same installation directory as yourexisting installation.

•

3. Execute the $SPLUNK_HOME/bin/splunk start command.

Splunk Enterprise displays the following output:

This appears to be an upgrade of Splunk.

--------------------------------------------------------------------------------

Splunk has detected an older version of Splunk installed on this

machine. To

finish upgrading to the new version, Splunk's installer will

automatically

update and alter your current configuration files. Deprecated

configuration

files will be renamed with a .deprecated extension.You can choose to preview the changes that will be made to your

configuration

files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that

will be

made to your existing configuration files, choose 'y'.

If you want to see what changes will be made before you proceed with

the

upgrade, choose 'n'.

Perform migration and upgrade without previewing configuration changes?

[y/n]

4. Choose whether you want to run the migration preview script to see whatchanges will be made to your existing configuration files, or proceed with themigration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migrationand upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

To accept the license and view the expected changes (answer 'n') beforecontinuing the upgrade:

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

97



To accept the license and begin the upgrade without viewing the changes(answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Upgrade to 6.2 on Windows

This topic describes the procedure for upgrading your Windows SplunkEnterprise instance from versions 5.0 and later to 6.2. You can upgrade using theGUI installer, or by running the msiexec utility on the command line as describedin "Install on Windows via the command line".

Before you upgrade

Read this information before proceeding, as well as the following:

Make sure you specify the same domain user

When upgrading, you must explicitly specify the same domain user that youspecified during first time install. If you do not specify the same user, SplunkEnterprise defaults to using the Local System User. If you accidentally specifythe wrong user during your installation, use these instructions to switch to thecorrect user before starting Splunk.

Don't change the ports

Splunk Enterprise does not support changing the management port and/or theHTTP port when upgrading.

Back your files up

Before you perform the upgrade, we strongly recommend that you back up all ofyour files, including Splunk Enterprise configurations, indexed data and binaries.Splunk does not provide a means of downgrading to previous versions; if youneed to revert to an older Splunk Enterprise release, just reinstall it.

For information on backing up data, read "Back up indexed data" in theManaging Indexers and Clusters Manual.

For information on backing up configurations, read "Back up configurationinformation" in the Admin manual.

98



Note: When you upgrade to Splunk Enterprise 6.2 on Windows, the installeroverwrites any custom certificate authority (CA) certificates you have created in%SPLUNK_HOME%\etc\auth. If you have custom CA files, make sure to back themup before you upgrade. After the upgrade, you can copy them back into%SPLUNK_HOME%\etc\auth to restore them. After you have restored the certificates,

restart Splunk.

Don't attempt to downgrade after you've upgraded

After you upgrade Splunk Enterprise to version 6.2, if you need to downgrade,you must uninstall version 6.2 and then reinstall the previous version of SplunkEnterprise that you were using. Do not attempt to install over a Splunk Enterprise6.2 installation with an installer from a previous version. Doing so can result in acorrupt instance and data loss.

Upgrade using the GUI installer

1. Download the new MSI file from the Splunk download page.

2. Double-click the MSI file. The installer runs and attempts to detect the existingversion of Splunk Enterprise installed on the machine. When it locates the olderversion, it displays a pane that asks you to accept the licensing agreement.

3. Accept the license agreement. The installer then installs the updated SplunkEnterprise, retaining all parameters from the existing installation. By default, theinstaller restarts Splunk Enterprise when the installation completes.

The installer places a log of the changes made to configuration files during theupgrade in %TEMP%.

Upgrade using the command line

1. Download the new MSI file from the Splunk download page.

2. Use the instructions in "Install on Windows via the command line".

If Splunk runs as a user other than the Local System user, you mustexplicitly specify this user in your command-line instruction.

•

You can use the LAUNCHSPLUNK flag to specify whether Splunk Enterpriseshould start up automatically or not when you're finished, but you cannotchange any other settings.

•

Do not change the ports (SPLUNKD_PORT and WEB_PORT) at this time.•

99



3. Depending on your specification, Splunk Enterprise might start automaticallywhen you complete the installation.

The installer places a log of the changes made to configuration files during theupgrade in %TEMP%.


On Windows, Splunk Enterprise installs by default into %SYSTEMDRIVE%\Program

Files\Splunk and starts by default.

You can start and stop the following Splunk Enterprise processes via theWindows Services control panel:

Server and Web interface: splunkd•

You can also start, stop, and restart both processes at once by going to%SYSTEMDRIVE%\Program Files\Splunk\bin and typing

# splunk [start|stop|restart]

Migrate a Splunk Enterprise instance

These migration instructions are for on-premises Splunk Enterprise

instances only.

These migration instructions should not be used by Splunk Cloud users or thosethat want to migrate their data from Splunk Enterprise on-premises to SplunkCloud.

If you run Splunk Enterprise on-premises and wish to migrate to Splunk Cloud,contact Professional Services for assistance.

This topic discusses the procedure for migrating a Splunk Enterprise instancefrom one server, operating system, architecture, or filesystem to another, whilemaintaining the indexed data, configurations, and users. This is different than

upgrading an instance, which is merely installing a new version on top of an olderone (though, an upgrade is a form of migration).

100



When to migrate

There are a number of reasons to migrate a Splunk Enterprise install:

Your Splunk Enterprise installation is on a server that you wish to retire or

reuse for another purpose.

•

Your Splunk Enterprise installation is on an operating system that eitheryour organization or Splunk no longer supports, and you want to move it toan operating system that is supported.

•

You want to switch operating systems (for example, from *nix to Windowsor vice versa)

•

You want to move your Splunk Enterprise installation to a different filesystem.

•

Your Splunk Enterprise installation is on 32-bit architecture, and you wishto move it to a 64-bit architecture for better performance.

•

Your Splunk Enterprise installation is on a system architecture that youplan to no longer support, and you want to move it to an architecture thatyou do support.

•

What to consider when migrating

While migrating a Splunk Enterprise instance is simple in many cases, there aresome important considerations to note when doing so. Depending on the type,version, and architecture of the systems involved in the migration, you mightneed to consider more than one of these items at a time.

When migrating a Splunk Enterprise instance, note:

Endianness

If you indexed data with a version of Splunk Enterprise earlier than 4.2, the indexfiles that comprise that data are sensitive to an operating system's endianness,which is the way the system organizes the individual bytes of a binary file (orother data structure).

Some operating systems are big-endian (meaning they store the most significantbyte of a binary file first), and others are little-endian (meaning they store theleast significant byte first). These operating systems create binary files of thesame endianness. Index bucket files are binary, and thus, for versions of Splunkearlier than 4.2, are the same endianness of the operating system that createdthem.

101



For a listing of processor architectures and the endianness they use, refer to theEndianness article on Wikipedia.

When you migrate a pre-4.2 Splunk Enterprise instance, in order for thedestination system to be able to read the migrated data, you must transfer index

files between systems with the same kind of endianness (for example, a NetBSDsystem running on a SPARC processor to a Linux system also running on aSPARC processor.)

If you can't move index between systems with the same endianness (forexample, when you want to move from a system that's big-endian to a systemthat's little-endian), you can move the data by forwarding it from the big-endiansystem to the little-endian system. Then, once you have forwarded all the data,you can retire the big-endian system.

Index files created by Splunk Enterprise versions 4.2 and later do not have

problems with endianness.

Differences in Windows and Unix path separators

The path separator (the character used to separate individual directory elementsof a path) on *nix and Windows is different. When moving index files betweenthese operating systems, you must make sure that the path separator you use iscorrect for the operating system you want to move the Splunk installation to. Youmust also make sure that you update any Splunk configuration files (in particular,indexes.conf) to use the correct path separator.

Windows permissions

When moving a Splunk Enterprise instance between Windows servers, makesure that the destination server has the same rights assigned to it that the sourceserver does. This includes but is not limited to the following:

Ensure that the file system and/or share permissions on the target serverare correct and allow access for the user that runs Splunk Enterprise.

•

If Splunk Enterprise runs as an account other than the Local System user,that the user is a member of the local Administrators group and has the

appropriate Local Security Policy or Domain Policy rights assigned to it bya Group Policy object

•

102



Architecture changes

If you downgrade the architecture that your Splunk Enterprise instance runs on(for example, 64-bit to 32-bit), you might experience degraded searchperformance on the new server due to the larger files that the 64-bit operating

system and Splunk Enterprise instance created.

Distributed and clustered Splunk environments

When you want to migrate data on a distributed Splunk instance (that is, anindexer that is part of a group of servers that a search head has been configuredto search for events, or a search head that's been configured to search indexersfor data), the you should remove the instance from the distributed environmentbefore attempting to migrate it.

Bucket IDs and potential bucket collision

If you migrate a Splunk instance to another Splunk instance that already hasexisting indexes with identical names, you must make sure that the individualbuckets within those indexes have bucket IDs which do not collide. Splunk willnot start if it encounters indexes with buckets that have colliding bucket IDs.When copying index data, you might need to rename the copied bucket files inorder to prevent this condition.

How to migrate

To migrate your instance of Splunk Enterprise from one system to another, followthese instructions:

1. Stop Splunk Enterprise on the server from which you want to migrate.

2. Copy the entire contents of the $SPLUNK_HOME directory from the old serverto the new server.

Important: Be sure to note any considerations above which might apply to youwhen copying the files.

3. Install the appropriate version of Splunk Enterprise for the target platform.

Note:

On *nix systems, you can extract the tar file you downloaded directly overthe copied files on the new system, or use your package manager to

•

103



upgrade using the downloaded package.On Windows systems, the installer updates the Splunk files automatically.•

4. Confirm that index configuration files (indexes.conf) contain the correctlocation and path specification for any non-default indexes.

5. Start Splunk Enterprise on the new instance.

Note: On *nix systems, Splunk Enterprise detects whether you are migrating andprompts you on whether or not to upgrade at this time.

6. Log into Splunk Enterprise. You should be able to log in with your existingcredentials.

7. Once logged in, confirm that your data is intact by searching it.

How to move index buckets from one server to another

If you're retiring a Splunk Enterprise server and immediately moving the data toanother Splunk server, you can move individual buckets of an index betweenservers, as long as:

The source and target systems have the same endianness.•

You are not trying to restore a bucket created by a 4.2 or greater versionof Splunk to a version of Splunk less than 4.2.

•

To move a bucket from one server to another:

1. Roll any hot buckets on the source system from hot to warm.

2. On the target system, create index(es) that are identical to the ones on thesource system.

Note: Review indexes.conf on the old system to get a list of the indexes on thatsystem.

3. Copy the index buckets from the source system to the target system.

Note: When copying individual bucket files, you must make sure that no bucketIDs conflict on the new system. Otherwise, Splunk Enterprise will not start. Youmight need to rename individual bucket directories after you move them from thesource system to the target system.

104



Migrate a standalone instance

If you've got a single 4.1.x Splunk Enterprise indexer and it has a single licenseinstalled on it, you can just proceed as normal with your upgrade. Follow theinstructions in the Installation Manual for your platform, and be sure to read the

"READ THIS FIRST" documentation prior to migrating.

Your existing license will work with the new licenser, and will show up as a validstack, with the indexer as a member of the default pool.

Migrate a distributed indexing deployment

If you've got multiple 4.1.x indexers, each with their own licenses, follow thesehigh-level steps in this order to migrate the deployment:

1. Designate one of your Splunk Enterprise instances as the license master. Ifyou've got a search head, this is likely a good choice.

2. Install or upgrade the Splunk Enterprise instance you have chosen to be thelicense master, following the standard instructions in the Installation Manual.

3. Configure the license master to accept connections from the indexers asdesired.

4. Upgrade each indexer one at a time, following these steps:

Upgrade an indexer to 5.0 following the instructions in the InstallationManual. It will be operating as a stand-alone license master until youperform the following steps.

•

Make a copy of the indexer's Enterprise license file (pre-4.2 license filesare located in $SPLUNK_HOME/etc/splunk.license on each indexer) andinstall it onto the license master, adding it to the stack and pool to whichyou want to add the indexer.

•

Configure the indexer as a license slave and point it at the licensemaster.

•

On the license master, confirm that the license slave is connecting asexpected by navigating to Manager > Licensing and looking at the list ofindexers associated with the appropriate pool.

•

Once you've confirmed the license slave is connecting as expected,proceed to upgrade the next indexer, following the same steps.

•

106



Migrate forwarders

If you have deployed light forwarders, review the information in this chapterabout the universal forwarder in the Forwarding Data Manual. You can upgradeyour existing light forwarders to the universal forwarders, no licensing

configuration is required--the universal forwarder includes its own license.

If you have deployed a heavy forwarder (a full instance of Splunk that performsindexing before forwarding to another Splunk Enterprise instance), you can treatit like an indexer--add it to a license pool along with the other indexers.

107





This topic discusses how to remove Splunk Enterprise from your system.

Before you uninstall, stop Splunk Enterprise. Navigate to $SPLUNK_HOME/bin andtype ./splunk stop (or just splunk stop on Windows).

Uninstall Splunk Enterprise with your package managementutilities

Use your local package management commands to uninstall Splunk Enterprise.

In most cases, files that were not originally installed by the package will beretained. These files include your configuration and index files which are underyour installation directory.

Note: $SPLUNK_HOME refers to the Splunk installation directory. On Windows, thisis C:\Program Files\Splunk by default. For most Unix platforms, the defaultinstallation directory is /opt/splunk; for Mac OS, it is /Applications/splunk.

RedHat Linux

To uninstall Splunk Enterprise on RedHat:

rpm -e splunk_product_name

Debian Linux

To uninstall Splunk Enterprise on Debian:

dpkg -r splunk

To purge (delete everything, including configuration files) on Debian:

dpkg -P splunk

108



FreeBSD

To uninstall Splunk Enterprise from the default location on FreeBSD:

pkg_delete splunk

To uninstall Splunk Enterprise from a different location on FreeBSD:

pkg_delete -p /usr/splunk splunk

Solaris

To uninstall Splunk Enterprise on Solaris:

pkgrm splunk

HP-UX

To uninstall Splunk Enterprise on HP-UX, you must stop Splunk, disableboot-start (if you configured it), and then delete the Splunk Enterprise installation.

Note: The $SPLUNK_HOME variable refers to the directory where you installedSplunk Enterprise.

1. Stop Splunk Enterprise:

$SPLUNK_HOME/bin/splunk stop

2. If you enabled boot-start, run the following command as root:

$SPLUNK_HOME/bin/splunk disable boot-start

3. Delete the Splunk installation directories:

rm -rf $SPLUNK_HOME

Other things you may want to delete:

If you created any indexes and did not use the Splunk Enterprise defaultpath, you must delete those directories as well.

•

109



If you created a user or group for running Splunk Enterprise, you shouldalso delete them.

•

Windows

To uninstall Splunk Enterprise on Windows:

Use the Add or Remove Programs option in the Control Panel. In Windows 7and Windows Server 2008, that option is available under Programs andFeatures.

You can also uninstall Splunk Enterprise from the command line by using themsiexec executable against the Splunk installer package:

C:\> msiexec /x splunk-<version>-x64.msi

Note: Under some circumstances, the Microsoft installer might present a rebootprompt during the uninstall process. You can safely ignore this request withoutrebooting.

Uninstall Splunk Enterprise manually

If you can't use package management commands, use these instructions touninstall Splunk Enterprise.

Note: These instructions will not remove any init scripts that have beencreated.

1. Stop Splunk Enterprise.

$SPLUNK_HOME/bin/splunk stop

2. Find and kill any lingering processes that contain "splunk" in its name.

For Linux and Solaris:

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

For FreeBSD and Mac OS

110



kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

3. Remove the Splunk Enterprise installation directory, $SPLUNK_HOME. Forexample:

rm -rf /opt/splunk

Note: For Mac OS, you can also remove the installation directory by dragging thefolder into the trash.

3. Remove any Splunk Enterprise datastore or indexes outside the top-leveldirectory, if they exist.

rm -rf /opt/splunkdata

4. Delete the splunk user and group, if they exist.

For Linux, Solaris, and FreeBSD:

userdel splunk

groupdel splunk

For Mac OS: You can use the System Preferences > Accounts panel tomanage users and groups.

For Windows: Open a command prompt and run the command msiexec /x

against the msi package that you installed.

111



Reference

PGP Public Key

This topic includes the PGP public key and installation instructions. You can alsodownload the file using HTTPS.

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w

nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF

2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7

pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn

OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpqWya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/

J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR

5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP

qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh

Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID

FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha

pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm

6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU

HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT

iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg

jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7

SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+

EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd

qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG

3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96

4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK

iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77

kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9

ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng

p4s=

=Mz6T

-----END PGP PUBLIC KEY BLOCK-----

Install the key

1. Copy and paste the key into a file, or download the file using HTTPS.

2. Install the key using:

112



rpm --import <filename>

Splunk 6.2.2 Installation

Documents

Transcript of Splunk 6.2.2 Installation