Administration basics
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Administration basics
The $SPLUNK_HOME variable refers to the top level directory of your installation. By default, this is /opt/splunk/.
Add Splunk to your shell path
To save a lot of typing, set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path.
This example works for Linux/BSD/Solaris users who accepted the default installation location:
# export SPLUNK_HOME=/opt/splunk # export PATH=$SPLUNK_HOME/bin:$PATH
This example works for Mac users who accepted the default installation location:
# export SPLUNK_HOME=/Applications/Splunk # export PATH=$SPLUNK_HOME/bin:$PATH
Alternatively, Splunk supplies a script which can be sourced to set up the Splunk environment, regardless
of where it has been installed. This perform the equivalent of the above steps, and obey the values in etc/splunk-launch.conf.
# source <your splunk directory>/bin/setSplunkEnv
Splunk's CLI
Splunk's command line interface is located in $SPLUNK_HOME/bin/. If you have exported the path and environment variables (as explained above), you can use the splunk command as follows:
# splunk [action] [object] [-parameter value] ....
If you haven't set an environment variable, navigate to $SPLUNK_HOME/bin/ and run commands as follows:
#./splunk [action] [object] [-parameter value] ....
For general help, type:
# splunk help
For a list of commands and options, type:
# splunk help commands
For Splunk with an Enterprise license, administration commands must be authenticated with a username and password. To authenticate for an entire session, type:
# splunk login
This command prompts you for a Splunk username and password. Use the same username and password for the CLI and Splunk Web. By default, the login is set to admin and the password is changeme.
Logout at any time by typing:
# splunk logout
To authenticate a single command, use the -auth parameter:
# splunk search foo -auth username:password
Note: the -auth string must be the last term in the CLI command.
Start/stop Splunk, check status
Ensure that you have added Splunk to your server host's path (as explained above, in "Adding Splunk to your shell path"). Otherwise you must use the ./splunk command.
Start the Server
From a shell prompt on the Splunk sever host, run this command:
# splunk start
Alternately, start either splunkd (to load back-end configuration) or Splunk Web (to load web configuration):
# splunk start splunkd
# splunk start splunkweb
Note: manually starting splunkweb will not override the settingstartwebserverinweb.conf. If it is disabled in configfiles, it will not start.
Or restart Splunk (splunkd or Splunk Web) by running:
# splunk restart
# splunk restart splunkd
# splunk restart splunkweb
Stop the Server
To shut down Splunk, run this command:
# splunk stop
Also available for splunkd and Splunk Web:
# splunk stop splunkd
# splunk stop splunkweb
Check if Splunk is running
To check if Splunk is running, type this command at the shell prompt on the sever host:
# splunk status
You should see this output:
splunkd is running (PID: 3162). splunk helpers are running (PIDs: 3164). splunkweb is running (PID: 3216).
Or you can use ps to check for running Splunk processes:
# ps aux | grep splunk | grep -v grep
Solaris users, type -ef instead of aux:
# ps -ef | grep splunk | grep -v grep
Where to find help
Help is available in several forms.
- From the CLI:
- Type
# splunk help
- Type
- From Splunk Web:
- Follow the help link in the upper right hand corner of Splunk Web.
- Click the tutorial link from the Splunk Web landing page.
- Contact Splunk Support:
- Many options are available on the support portal.
- Email Splunk support.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.