Windows installation

Windows installation

Important: By default, starting with version 3.4 of Splunk, Splunk for Windows is installed with the Splunk Desktop application configuration pre-enabled. You can change this by either specifying another application using the SPLUNK_APP flag when installing via the commandline, or by disabling the SplunkDesktop application after you have completed the installation process.

Note: The Splunk desktop application is not enabled by default if you are upgrading to from an earlier version. It is only enabled by default if you are installing Splunk for the first time.

If you are upgrading Splunk for Windows from version 3.2.x to 3.3.x or later, please review the the Windows migration instructions before proceeding to the upgrade instructions.

You can choose to install Splunk for Windows either via the GUI installer as described in this topic, or via the commandline.

Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

Before you proceed, be sure to review this important information about running Splunk on Windows.

You can also watch this video walkthrough of the Windows installation.

Choosing the user Splunk should run as

When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as.

If you install as the Local System user, Splunk will have access to all or nearly all of your local machines' important information. However, the Local System user has no privileges on other Windows machines by design. If you intend to read Event Logs or performance counters from other machines via WMI, or read network shares for log files, you will need a domain account. That account must be a local Administrator or equivalent, and should have rights to the external data you want to Splunk. Please consult your Windows domain administrator for an account if you are unsure of what credentials to give Splunk.

Minimum permissions required for the two Splunk services:

Required user rights for the splunkd service:

• Full control over Splunk's installation directory
• Read access to any flat-files
• Permission to log on as a service
• Permission to log on as a batch job
• Replace a process-level token
• Permission to act as part of the operating system
• Permission to bypass traverse checking

Required user rights for the splunkweb service:

• Full control over Splunk's installation directory
• Permission to log on as a service

Note: These are the rights that splunkd and splunkweb specifically invoke. Other rights or permissions may be required depending on your usage and what data you want to access. Additionally, many user right assignments and other group policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Sysinternals to troubleshoot your environment, or reverting to running the splunkd service as an administrator or equivalent account.

Important: If you must change the user Splunk runs as after you have installed, you must ensure that the user you create has the necessary permissions, and also ensure that that user has Full Control permissions to the %SPLUNK_HOME%\var directory.

Install Splunk via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.

The Customer Information panel is displayed.

4. Enter the requested details and click Next.

The Destination Folder panel is displayed.

Note: Splunk is installed by default into the \Program Files\Splunk.

5. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.

The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk with Local System credentials, or provide a specific account. That account should have local administrator privileges, plus appropriate domain permissions if you are collecting data from other machines.

The user Splunk runs as must have permissions to:

• Run as a service.
• Read whatever files you are configuring it to monitor.
• Collect performance or other WMI data.
• Write to Splunk's directory.

Note: If you install as the Local System user, some network resources may not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Only local data collection with WMI will be available. Contact your systems administrator for advice if you are unsure what user to specify.

6. Select a user type and click Next.

If you specified the local system user, proceed to step 8. Otherwise, the Logon Information: specify a username and password panel is displayed.

7. Specify a username and password to install and run Splunk and click Next.

Note: To use an existing user, you can enter or browse for the username and domain details. Splunk recommends using the Browse... button to ensure that you select a valid user. If you cannot browse for the user because that user doesn't exist in your security context, or you mistype the username, your installation will fail. Splunk cannot start without a valid username and password; browsing confirms the user is correct.

Important: You cannot change the user Splunk runs as or the directory into which Splunk is installed during an upgrade. Also, changing the user Splunk runs as through the Windows Service Control Panel is not supported; Splunk will stop functioning. Make sure you define and select the user account to correctly reflect the access you want Splunk to have.

The Configure Splunk Data Sources panel is displayed.

8. Check or uncheck boxes to tell Splunk what data you want monitored and indexed:

• Select which Windows event logs you want indexed
• Choose which local registry hives to monitor, and whether or not Splunk should establish a baseline snapshot for them when it starts next. Refer to the documentation about Windows registry inputs for information.
• Choose to enable WMI collection of local system data. Refer to the documentation about WMI inputs for more information.

Important: If you choose to enable baseline snapshots of your local registry hives, you may notice this process taking a long time, especially if you have installed Splunk with the default desktop application configuration enabled. The reason for this is that this configuration throttles the process so that it will not overwhelm your system. For more information about baseline snapshots and monitoring the Windows registry, refer to Get a baseline snapshot.

The pre-installation summary panel is displayed.

9. Click Install to proceed.

The installer runs and displays the Installation Complete panel. You may see a number of warnings in a command prompt dialog box; you can safely ignore these.

10. Check the boxes to Start Splunk and Start Splunk Web now. Click Finish.

The installation completes, Splunk starts, and Splunk Web launches in a supported browser.

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

• Click the Splunk icon in Start>Programs>Splunk

or

• Open a Web browser and navigate to http://localhost:8000.

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you're ready to use Splunk, refer to the User Manual and begin with the Splunk Tutorial.

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port, you can change the defaults.

• To change the splunk web service port:

From the %SPLUNK_HOME%\bin\ directory: splunk set web-port ####

• To change the splunkd port:

From the %SPLUNK_HOME%\bin\ directory: splunk set splunkd-port ####

Avoid IE Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:

• quickdraw.splunk.com
• the URL of your Splunk instance

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

• Was this topic useful?
• Post a comment