Admin Manual

 


Change default values

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Change default values

Before you begin configuring Splunk for your environment, check through the following default settings to see if there's anything you'd like to change.

Changing the admin default password

Splunk with an Enterprise license has a default administration account and password, admin/changeme. Splunk recommends strongly that you change the default. You can do this via Splunk's CLI or Splunk Web.

Use Splunk Web

To change the admin default password:

1. Log into Splunk Web as the admin user.

2. Click Manager in the top-right of the interface.

3. Click Access controls in the Users and Authentication section of the screen.

4. Click Users.

5. Click the admin user.

6. Update the password, and click Save.

Use Splunk CLI

The Splunk CLI command is:

splunk edit user

Note: You must authenticate with the existing password before it can be changed. Log into Splunk via the CLI or use the -auth parameter. For example, this command changes the admin password from changeme to foo:

splunk edit user admin -password foo -role admin -auth admin:changeme

Note: Passwords with special characters that would be interpreted by the shell (for example '$' or '!') must be either escaped or single-quoted. For example:

splunk edit user admin -password 'fflanda$' -role admin -auth admin:changeme

or

splunk edit user admin -password fflanda\$ -role admin -auth admin:changeme

Change network ports

Splunk configures two ports at installation time:

  • The HTTP/HTTPS port. This port provides the socket for Splunk Web. It defaults to 8000.
  • The management port. This port is used to communicate with the splunkd daemon. Splunk Web talks to splunkd on this port, as does the command line interface and any distributed connections from other servers. This port defaults to 8089.

Important: During installation, you might have set these ports to values other than the defaults.

Note: Splunk instances receiving data from forwarders must be configured with an additional port, the receiver port. They use this port to listen for incoming data from forwarders. This configuration does not occur during installation. The default receiver port is 9997. For more information, see "Enable a receiver" in the Distributed Deployment Manual.

Use Splunk Web

To change the ports from their installation settings:

1. Log into Splunk Web as the admin user.

2. Click Manager in the top-right of the interface.

3. Click the System settings link in the System section of the screen.

4. Click General settings.

5. Change the value for either Management port or Web port, and click Save.

Use Splunk CLI

To change the port settings via the Splunk CLI, use the CLI command set. For example, this command sets the Splunk Web port to 9000:

splunk set  web-port 9000

This command sets the splunkd port to 9089:

splunk set  splunkd-port 9089

Change the default Splunk server name

The Splunk server name setting controls both the name displayed within Splunk Web and the name sent to other Splunk Servers in a distributed setting.

The default name is taken from either the DNS or IP address of the Splunk Server host.

Use Splunk Web

To change the Splunk server name:

1. Log into Splunk Web as the admin user.

2. Click Manager in the top-right of the interface.

3. Click the System settings link in the System section of the screen.

4. Click General settings.

5. Change the value for Splunk server name, and click Save.

Use Splunk CLI

To change the server name via the CLI, use the set servername command. For example, this command sets the server name to foo:

splunk set servername foo

Changing the datastore location

The datastore is the top-level directory where the Splunk Server stores all indexed data.

Note: If you change this directory, the server does not migrate old datastore files. Instead, it starts over again at the new location.

To migrate your data to another directory follow the instructions in "Move an index".

Use Splunk Web

To change the datastore location:

1. Log into Splunk Web as the admin user.

2. Click Manager in the top-right of the interface.

3. Click the System settings link in the System section of the screen.

4. Click General settings.

5. Change the path in Path to indexes, and click Save.

6. Use the CLI to restart Splunk. Navigate to $SPLUNK_HOME/bin/ (*nix) or %SPLUNK_HOME%\bin (Windows) and run this command:

splunk restart

Important: Do not use the restart function inside Manager. This will not have the intended effect of causing the index directory to change. You must restart from the CLI.

Use Splunk CLI

To change the datastore directory via the CLI, use the set datastore-dir command. For example, this command sets the datastore directory to /var/splunk/:

splunk set datastore-dir /var/splunk/

Set minimum free disk space

The minimum free disk space setting controls how low disk space in the datastore location can fall before Splunk stops indexing.

Splunk resumes indexing when more space becomes available.

Use Splunk Web

To set minimum free disk space:

1. Log into Splunk Web as the admin user.

2. Click Manager in the top-right of the interface.

3. Click the System settings link in the System section of the screen.

4. Click General settings.

5. Change the value for Pause indexing if free disk space falls below, and click Save.

Use Splunk CLI

To change the minimum free space value via the CLI, use the set minfreemb command. For example, this command sets the minimum free space to 2000 MB:

splunk set minfreemb 2000

Other default settings

The Splunk Web Manager General Settings screen has a few other default settings that you might want to change. Explore it, to see the range of options.

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!