Windows installation via the commandline
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
- Supported flags
- Install Splunk to run as LocalSystem:
- Install Splunk to run as another user in the system or domain:
- Specify the username and the group/domain the user belongs to:
- Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode:
- Launch Splunk in a Web browser
- Avoid IE Enhanced Security pop-ups
- Install or upgrade license
- Uninstall Splunk
Windows installation via the commandline
Important: By default, starting with version 3.4 of Splunk, Splunk for Windows is installed with the Splunk Desktop application configuration pre-enabled. You can change this by either specifying another application using the SPLUNK_APP flag when installing via the commandline as described in this topic, or by disabling the SplunkDesktop application after you have completed the installation process.
If you are upgrading Splunk for Windows from version 3.2.x to 3.3.x or later, please review the the Windows migration instructions before proceeding to the upgrade instructions.
You can install Splunk for Windows using the MSI on the commandline by typing the following:
msiexec.exe /i Splunk.msi
This section lists the available flags for doing this, as well as provides a few examples of doing this in various configurations.
You can specify
- which Windows event logs to index or not
- which Windows registry hive to monitor
- which WMI information to pull
- the user Splunk runs as (be sure the user you specify has the appropriate permissions to access the content you want Splunk to index)
- an included application configuration for Splunk to enable (such as the Splunk light forwarder)
- whether or not Splunk should start up automatically when the installation is completed
Important: If you are enabling the Splunk forwarder, Splunk will start automatically; this cannot be overridden.
Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.
Supported flags
The following is a list of the flags you can use when installing Splunk for Windows via the commandline.
Note: To run the installation silently, add /quiet to the end of your string.
Use this flag to specify directory to install. Default is c:\program files\splunk.
- INSTALLDIR=<directory_path>
Use these flags to specify whether or not Splunk should index a particular Windows event log. All three are set to 1 (on) by default.
- WINEVENTLOGAPPCHECK=1/0
- WINEVENTLOGSECCHECK=1/0
- WINEVENTLOGSYSCHECK=1/0
Use these flags to specify whether or not Splunk should index the Windows registry USER hive. By default these are set to 0 (off).
- REGISTRYCHECK_U=1/0
- REGISTRYCHECK_BASELINE_U=1/0
Use these flags to specify whether or not Splunkshould index the Windows registry LocalMachine hive. By default, these are set to 0 (off).
- REGISTRYCHECK_LM=1/0
- REGISTRYCHECK_BASELINE_LM=1/0
Use these flags to specify which WMI performance information to index. These are set to 0 (off) by default.
- WMICHECK_DISK=1/0
- WMICHECK_MEMORY=1/0
- WMICHECK_SPLUNKD=1/0
Use this flag to specify a user Splunk should run as. Supported values are: 1 for the LocalSystem user and 2 for a different user. The default value is 1.
- RBG_LOGON_INFO_USER_CONTEXT=1/2
Use these flags to provide username, password, and group membership information for the user specified in RBG_LOGON_INFO_USER_CONTEXT
- IS_NET_API_LOGON_USERNAME="<username>"
- IS_NET_API_LOGON_PASSWORD="<pass>"
Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder, SplunkForwarder, SplunkDesktop. Refer to the documentation about the Splunk forwarder, light forwarder, and desktop configurations for more information. If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".
- SPLUNK_APP=<SplunkApp>
Note: By default, Splunk enables the Splunk desktop application configuration when you install on Windows. You can change this by either specifying another application using the SPLUNK_APP flag, or by disabling the SplunkDesktop application after you have completed the installation process. To install Splunk with no applications at all, specify this flag but leave the value empty ( SPLUNK_APP="" ).
Use this flag *only* when you are also using SPLUNK_APP to enable either the Splunk forwarder or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.
- FORWARD_SERVER="<server:port>"
Use this flag to specify whether or not Splunk should start up automatically when the installation completes. The default value is 1 (on).
- LAUNCHSPLUNK=0/1
Important: If you are enabling the Splunk forwarder, Splunk will start automatically; this cannot be overridden.
Install Splunk to run as LocalSystem:
msiexec.exe /i Splunk.msi RBG_LOGON_INFO_USER_CONTEXT=1
Install Splunk to run as another user in the system or domain:
Note: If you pick this option, you MUST provide a username and password.
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="splunk" IS_NET_API_LOGON_PASSWORD="splunk123" IS_NET_API_LOGON_GROUP="AD"
Specify the username and the group/domain the user belongs to:
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="AD\splunk" IS_NET_API_LOGON_PASSWORD="splunk123"
Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode:
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOGSYSCHECK=0 /quiet
Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.
Launch Splunk in a Web browser
To access Splunk Web after you start Splunk on your machine, you can either:
- Click the Splunk icon in Start>Programs>Splunk
or
- Open a Web browser and navigate to
http://localhost:8000.
Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.
Now that you're ready to use Splunk, refer to the User Manual and begin with the Splunk Tutorial.
Avoid IE Enhanced Security pop-ups
To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:
- quickdraw.splunk.com
- the URL of your Splunk instance
Install or upgrade license
If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.
Uninstall Splunk
To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.
You can also use msiexec from the commandline.
This documentation applies to the following versions of Splunk: 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 View the Article History for its revisions.