Install on Windows

Install on Windows

This topic describes the procedure for installing on Windows using the GUI installer. More options are available for installation (such as silent installation) if you use the commandline installation.

Note: The Windows App was enabled by default in its app.conf file in versions 4.0-4.0.2. Starting in version 4.0.3, it is disabled in this file by default. Read on for important details:

• If you're upgrading from 4.0-4.0.2 to 4.0.3 or later, the Windows App will be disabled, even if it was enabled in the version you're upgrading from.
• If you're doing a fresh installation of 4.0.3 or later, the Windows App is enabled by default via the MSI and if you want to install it in a disabled state, you must specify this using the SPLUNK_APP msiexec command as described in "Install on Windows via the commandline".

Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

Choosing the user Splunk should run as

When you run the Splunk Windows installer, you are given the option to select a user Splunk will run as.

If you install as the Local System user, Splunk will have access to all or nearly all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design.

If you intend to do any of the following things, you must give Splunk a Domain account:

• read Event Logs remotely
• collect performance counters remotely
• read network shares for log files
• enumerate the Active Directory schema using Active Directory monitoring

The Domain account you use must also be a local Administrator or equivalent. Please ask your Windows Domain administrator for an account if you are unsure of what username to run Splunk under.

Minimum local permissions required for the two Splunk services:

Required user rights for the splunkd service:

• Full control over Splunk's installation directory
• Read access to any flat-files
• Permission to log on as a service
• Permission to log on as a batch job
• Replace a process-level token
• Permission to act as part of the operating system
• Permission to bypass traverse checking

Required user rights for the splunkweb service:

• Full control over Splunk's installation directory
• Permission to log on as a service

Note: These are the rights that splunkd and splunkweb specifically invoke. Other rights or permissions may be required depending on your usage and what data you want to access. Additionally, many user right assignments and other group policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Sysinternals to troubleshoot your environment, or reverting to running the splunkd service as an administrator or equivalent account.

Important: If you change the user Splunk runs as after you have installed, you must ensure that the user you create has the necessary permissions, and also ensure that that user has Full Control permissions to the $SPLUNK_HOME/var directory.

If you accidentally specify the wrong user the first time you install

If you specified the wrong user during the installation procedure, you'll see two popup error dialogs telling you this. Complete the installation and then use these instructions to switch to the correct user. You must not start Splunk before doing this.

Install Splunk via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The Welcome panel is displayed.

2. To begin the installation, click Next.

Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to close the installer.

The licensing panel is displayed.

3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing.

The Customer Information panel is displayed.

4. Enter the requested details and click Next.

The Destination Folder panel is displayed.

Note: Splunk is installed by default into the \Program Files\Splunk.

5. Click Change... to specify a different location to install Splunk, or click Next to accept the default value.

The Logon Information panel is displayed.

Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk with Local System credentials, or provide a specific account. That account should have local administrator privileges, plus appropriate domain permissions if you are collecting data from other machines.

The user Splunk runs as must have permissions to:

• Run as a service.
• Read whatever files you are configuring it to monitor.
• Collect performance or other WMI data.
• Write to Splunk's directory.

Note: If you install as the Local System user, some network resources may not be available to the Splunk application. Additionally, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections. Only local data collection with WMI will be available. Contact your systems administrator for advice if you are unsure what user to specify.

6. Select a user type and click Next.

Important: When migrating or upgrading, you must re-specify the user you want Splunk to run as--this information is not automatically maintained from release to release.

If you specified the local system user, proceed to step 8. Otherwise, the Logon Information: specify a username and password panel is displayed.

7. Specify a username and password to install and run Splunk and click Next.

Note: To use an existing user, you can enter or browse for the username and domain details. Splunk recommends using the Browse... button to ensure that you select a valid user. If you cannot browse for the user because that user doesn't exist in your security context, or you mistype the username, your installation will fail. Splunk cannot start without a valid username and password; browsing confirms the user is correct.

The pre-installation summary panel is displayed.

8. Click Install to proceed.

The installer runs and displays the Installation Complete panel.

Caution: If you specified the wrong user during the installation procedure, you will see two popup error windows explaining this. If this occurs, Splunk installs itself as the local system user by default. Splunk will not start automatically in this situation. You can proceed through the final panel of the installation, leaving all boxes checked. Then, use these instructions to switch to the correct user before starting Splunk.

9. Check the boxes to Start Splunk and Start Splunk Web now. Click Finish.

The installation completes, Splunk starts, and Splunk Web launches in a supported browser.

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

• Click the Splunk icon in Start>Programs>Splunk

or

• Open a Web browser and navigate to http://localhost:8000.

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you've installed Splunk, what comes next?

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port, you can change the defaults.

• To change the splunk web service port:

From the $SPLUNK_HOME/bin/ directory: splunk set web-port ####

• To change the splunkd port:

From the $SPLUNK_HOME/bin/ directory: splunk set splunkd-port ####

Note: If you specify a port and that port is not available, or if the default port is unavailable, Splunk will automatically select the next available port.

Avoid IE Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:

• quickdraw.splunk.com
• the URL of your Splunk instance

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

What's next?

Review this topic about considerations for deciding how to monitor Windows data in the Admin Manual.

• Was this topic useful?
• Post a comment