What's Installed Where
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
What's Installed Where
A default installation of the Splunk Server or Splunk Professional occupies the directories, username and group described below. Your installation may be configured to override the defaults.
Users & Groups
The installation creates a user splunk and a group splunk. You must start the server as root or as a member of the splunk group.
Files & Directories
By default your entire installation is under one directory. There are also a few special directories and files you should know about.
$SPLUNK_HOME
The entire installation, including dedicated copies of all third-party libraries used by Splunk software, is installed here. The default value is /opt/splunk .
$SPLUNK_HOME/var/lib/splunk ($SPLUNK_DB)
This is where the server builds its searchable index of your data. The environment variable $SPLUNK_DB points here by default. The index takes up about as much disk space as the uncompressed volume of the data held in its index.
$SPLUNK_HOME/var/spool/splunk
This is the default "sinkhole" directory into which you can copy files for Splunk to index. It will consume any files placed here, including compress files and tarballs.
$SPLUNK_HOME/var/lib/splunk/directorymonitor
This is where the directory monitor unpacks compressed files or tarfiles placed into its sinkhole directory described above. Although it's a subdirectory of the default $SPLUNK_DB setting, changing the value of $SPLUNK_DB won't relocate this workspace. If necessary, make it a link to another partition.
$SPLUNK_HOME/etc/splunk.license
This is the license key file for Splunk Professional. All features and settings are encoded in the binary key string. Below is a sample license file. The XML tags other than licenseKey are for human-readability; editing them won't extend your license.
<license>
<user>Christina Noren</user>
<expiration-date>2005-11-23 18:17:52</expiration-date>
<creation-date>2005-11-08 18:17:52</creation-date>
<bytelimit>0</bytelimit>
<version>professional</version>
<type>pro</type>
<licenseKey>ur/AQMlAnhXSV91Y/EHDGpcLJs4CC1BBF5KMdfIb/mumQizCPsJMHh9Mwki5IeiQK7MzzH1klA==</licenseKey>
<productName>splunk</productName>
</license>
Network Ports
Splunk uses four ports. These are the default settings; your installation may be configured differently. The first two are for remote browser connections. The second two are for local connections between the search interface and daemon.
- 8000 - HTTP socket for the Splunkweb interface
- 8001 - HTTPS secure socket for Splunkweb interface (same UI, but with SSL encrypted connection)
- 8089 - SOAP management port used to communicate with the splunkd daemon. The Splunkweb interface talks to splunkd on this port, as does the command-line interface and any Splunk-2-Splunk connections from other servers.
As of version 2.1, Splunk no longer uses a fourth port (9099) for inter-process communication.
Unix Processes
The Splunk Server has two main software components that run as separate processes.
- splunkd - server daemon
- twistd.py - Splunkweb browser interface to the daemon
If you run the Splunk monitor process with the command splunk startmon it will spawn a third process, splunkmon , that logs server stats once per minute for diagnostic purposes.
Use the Unix pstree command, if your server host supports it, to see all current Splunk processes.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.