Before you install

Before you install

Before installing Splunk on your system:

• Read the system requirements.
• Check the release notes for details on known and resolved issues.
• Refer to the download page for the latest version to download.
• If you are upgrading, review the upgrade documentation later in this manual and check the migration documentation for any migation considerations before proceeding.

Some platform-specific installers come in both a package form and a tarball. Follow the instructions for your specific package or tarball.

Note: If you have a system maintenance process that periodically compresses files on your filesystem, you must disable this for your Splunk installation and index directories. There are many static files that are required for normal operation and must not be compressed.

Installing as root

Splunk must run as root or as a member of the splunk group. When installing from any type of package manager that isn't a tarball, you must install as root. When you install Splunk with root privileges, it creates the user splunk and group splunk (if they do not already exist). If you do not install Splunk with root privileges, it won't attempt to create users or groups.

Splunk can run as any user on the local system. However, the user Splunk runs as must have access rights to read all the data inputs you define. Keep in mind that some files and directories may be in privileged locations and therefore will not be indexed if you don't have the correct ownership settings.

Running Splunk on Windows

To install Splunk, you must have local administrator privileges in order to bind the ports required for splunkd to splunkweb communication. During the install process, you will have the option to select which account splunkd and splunkweb will run as consistently.

Splunk strongly recommends that you run Splunk as the local system account if you do not need to collect data from other machines

If you would like to collect data from additional machines remotely - for example, WMI polling of event logs, or collection IIS logs through a file share - you must install Splunk using a domain service account that you create. This account needs administrator-like permissions on the local box, and sufficient privileges on the target machines to collect your desired data. For more information on WMI polling permission setting, please refer to the WMI documentation.

You can run Splunk as another account besides local system or the local administrator. However, you must grant the following rights to the service account:

• Full control over Splunk's installation directory
• Read access to any flat-file directory (to read whatever files you are configuring it to monitor).
• Permission to log on as a service
• Permission to log on as a batch job.
• Replace a process-level token.
• Permission to act as part of the operating system.
• Permission to bypass traverse checking.

You must allow this account additional, specific permissions if you want to collect the registry or event logs.

Splunk Web's service does not require as many permissions as splunkd to function, and can be safely reduced to:

• Full control over Splunk's install directory
• Log on as a service

Note: When installing Splunk using domain account user, you must enable NetBIOS to validate the account authentication.

Disabling update checker

Splunk Web is configured to check for new versions of itself. If you are running Splunk on a LAN that is not connected to the rest of the Web, you will want to disable this feature.

What ports Splunk uses

Splunk uses two network ports by default; ports 8000 (Splunk Web) and 8089 (management port) are opened initially. You can also enable SSL for Splunk Web after you install.

What gets installed

For a complete list of files that Splunk installs, refer to the file manifest for your platform, located in $SPLUNK_HOME, at the same level as the /etc directory.

Advanced installation topics

Before you start Splunk for the first time, review the topics under Advanced Installation. The topics include configuring Splunk to start at boot time, bind to an IP, and run as a non-root user.

• Was this topic useful?
• Post a comment