Install on Windows via the commandline
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
- Choosing the user Splunk should run as
- How to use the MSI on the commandline
- Supported flags
- Silent installation
- Examples
- Install Splunk to run as the Local System user
- Specify the username and the domain the user belongs to
- Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode
- Launch Splunk in a Web browser
- Avoid IE Enhanced Security pop-ups
- Install or upgrade license
- Uninstall Splunk
- What's next?
Install on Windows via the commandline
This topic describes the procedures for installing Splunk on Windows using the commandline.
Note: You can only run one Splunk instance per Windows host.
Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.
Note: The Windows App was enabled by default in its app.conf file in versions 4.0-4.0.2. Starting in version 4.0.3, it is disabled in this file by default. Read on for important details:
- If you're upgrading from 4.0-4.0.2 to 4.0.3 or later, the Windows App will be disabled, even if it was enabled in the version you're upgrading from.
- If you're doing a fresh installation of 4.0.3 or later, the Windows App is enabled by default, unless you explicitly enable a different app such as SplunkLightFowarder. via the MSI. Howver, you can enable the forwarder apps and enable Windows Event Log explicitly. If you want to install it in a disabled state, you must specify this using the SPLUNK_APP msiexec command as described later in this topic.
Choosing the user Splunk should run as
When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as.
If you install as the Local System user, Splunk will have access to all or nearly all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design. If you intend to read Event Logs or performance counters from other machines via WMI, or read network shares for log files, you will need a domain account. That account must be a local Administrator or equivalent, and should have rights to the external data you want to Splunk. Please ask your Windows domain administrator for an account if you are unsure of what credentials to give Splunk.
Minimum permissions required for the two Splunk services:
Required user rights for the splunkd service:
- Full control over Splunk's installation directory
- Read access to any flat-files
- Permission to log on as a service
- Permission to log on as a batch job
- Replace a process-level token
- Permission to act as part of the operating system
- Permission to bypass traverse checking
Required user rights for the splunkweb service:
- Full control over Splunk's installation directory
- Permission to log on as a service
Important: If you must change the user Splunk runs as after you have installed, you must ensure that the user you create has the necessary permissions, and also ensure that that user has Full Control permissions to the $SPLUNK_HOME/var directory.
If you specified the wrong user during your installation, Splunk will not start. If this occurs, Splunk has installed itself as the local system user by default. Use the instructions in these instructions to switch to the correct user before starting Splunk.
How to use the MSI on the commandline
You can install Splunk for Windows using the MSI on the commandline by typing the following:
msiexec.exe /i Splunk.msi
This section lists the available flags for doing this, and provides a few examples of doing this in various configurations.
You can specify
- which Windows event logs to index or not
- which Windows registry hive to monitor
- which WMI information to pull
- the user Splunk runs as (be sure the user you specify has the appropriate permissions to access the content you want Splunk to index)
- an included application configuration for Splunk to enable (such as the Splunk light forwarder)
- whether or not Splunk should start up automatically when the installation is completed
Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.
Supported flags
The following is a list of the flags you can use when installing Splunk for Windows via the commandline.
Use this flag to specify directory to install. Default is c:\program files\splunk.
- INSTALLDIR=<directory_path>
Use these flags to specify alternate ports for splunkd and splunkweb to use
- SPLUNKD_PORT=<port number>
- WEB_PORT=<port number>
Note: If you specify a port and that port is not available, Splunk will automatically select the next available port.
Use these flags to specify whether or not Splunk should index a particular Windows event log.
- WINEVENTLOGAPPCHECK=1/0, off by default
- WINEVENTLOGSECCHECK=1/0, off by default
- WINEVENTLOGSYSCHECK=1/0, off by default
- WINEVENTLOGFWDCHECK=1/0, off by default
- WINEVENTLOGSETCHECK=1/0, off by default
Use these flags to specify whether or not Splunk should index the Windows registry USER hive. By default these are set to 0 (off).
- REGISTRYCHECK_U=1/0
- REGISTRYCHECK_BASELINE_U=1/0
Use these flags to specify whether or not Splunk should index the Windows registry LocalMachine hive. By default, these are set to 0 (off).
- REGISTRYCHECK_LM=1/0
- REGISTRYCHECK_BASELINE_LM=1/0
Use these flags to specify which WMI performance information to index. These are set to 0 (off) by default.
- WMICHECK_CPUTIME=1/0
- WMICHECK_LOCALDISK=1/0
- WMICHECK_FREEDISK=1/0
- WMICHECK_MEMORY=1/0
Use this flag to specify a user Splunk should run as. Supported values are: 1 for the LocalSystem user and 2 for a different user. The default value is 1.
- RBG_LOGON_INFO_USER_CONTEXT=1/2
Use these flags to provide domain/username and password information for the user specified in RBG_LOGON_INFO_USER_CONTEXT. You must specify the domain with the username in the format "domain\username".
- IS_NET_API_LOGON_USERNAME="<domain\username>"
- IS_NET_API_LOGON_PASSWORD="<pass>"
Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder, SplunkForwarder.
Refer to the documentation about the Splunk forwarder and light forwarder configurations for more information about the forwarders. If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".
- SPLUNK_APP=<SplunkApp>
To install Splunk with no applications at all, specify this flag but leave the value empty ( SPLUNK_APP="" ).
Use this flag *only* when you are also using SPLUNK_APP to enable either the Splunk forwarder or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.
- FORWARD_SERVER="<server:port>"
Use this flag to specify whether or not Splunk should be configured to start up automatically on system boot. The default value is 1 (on).
- LAUNCHSPLUNK=0/1
Important: If you are enabling the Splunk forwarder, Splunk will start automatically; this cannot be overridden.
Silent installation
To run the installation silently, add /quiet to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.
Examples
The following are some examples of using different flags.
Install Splunk to run as the Local System user
msiexec.exe /i Splunk.msi RBG_LOGON_INFO_USER_CONTEXT=1
Specify the username and the domain the user belongs to
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="AD\splunk" IS_NET_API_LOGON_PASSWORD="splunk123"
Enable SplunkForwarder, disable indexing of the Windows System event log, and run the installer in silent mode
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOGSYSCHECK=0 /quiet
Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.
Launch Splunk in a Web browser
To access Splunk Web after you start Splunk on your machine, you can either:
- Click the Splunk icon in Start>Programs>Splunk
or
- Open a Web browser and navigate to
http://localhost:8000.
Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.
Now that you've installed Splunk, what comes next?
Avoid IE Enhanced Security pop-ups
To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:
- quickdraw.splunk.com
- the URL of your Splunk instance
Install or upgrade license
If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.
Uninstall Splunk
To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.
You can also use msiexec from the commandline.
What's next?
Review this topic about considerations for deciding how to monitor Windows data in the Admin Manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 View the Article History for its revisions.