Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

System requirements

Before you download and install the Splunk software, read the following sections for the supported system requirements. If you have ideas or requests for new features to add to future releases, email Splunk Support. Also, you can follow our Product Roadmap.

Refer to the download page for the latest version to download. Check the release notes for details on known and resolved issues.

For a discussion of hardware planning for deployment, check out the topic on capacity planning in this manual.

Supported OSes

Splunk is supported on the following platforms.

  • Solaris 9, 10 (x86, SPARC)
  • Linux Kernel vers 2.6.x and above (x86: 32 and 64-bit)
  • FreeBSD 6.1 (x86: 32-bit), 6.2, 7.x, 8.x (x86: 32 and 64-bit)
  • Windows Server 2003/2003 R2 (64-bit, supported but not recommended on 32-bit)
  • Windows Server 2008 (64-bit, supported but not recommended on 32-bit)
  • Windows Server 2008 R2 (64-bit)
  • Windows XP (32-bit)
  • Windows Vista (32-bit, 64-bit)
  • Windows 7 (32-bit, 64-bit)
  • MacOSX 10.5 and 10.6 (32-bit and 64-bit in one download. 10.6 is only supported in 32-bit mode.)
  • AIX 5.2, 5.3, and 6.1
  • HP-UX 11iv2 (11.22) and 11iv3 (11.31) (PA-RISC or Itanium, gnu tar is required to unpack the tar.gz archive)

Windows

Certain parts of Splunk on Windows require elevated permissions to function properly. For additional information about what is required, read the following topics:

FreeBSD 7.x

To run Splunk 4.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x. For more information, refer to this Community wiki topic.

Fedora Core 13

Users of Fedora Core 13 must be sure to update glibc to 2.12-2 or higher (released 2010-06-07) to resolve a glibc memory allocator bug - https://bugzilla.redhat.com/show_bug.cgi?id=594784 The symptom of the glibc-2.12-1 problem are program crashes with the message 'invalid fastbin entry (free)'. This is only expected to affect the 32 bit splunk build, but as it will likely cause crashes in system tools as well, the update is recommended for all Fedora Core 13 splunk users, 32-bit and 64-bit.

Creating and editing configuration files on non-UTF-8 OSes

Splunk expects configuration files to be in ASCII/UTF-8. If you are editing or creating a configuration file on an OS that is non-UTF-8, you must ensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:

  • HPUX PA-RISC
  • Solaris 8 and 9
  • AIX

Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.

Supported browsers

  • Firefox 3.6, 10.x, and latest
  • Internet Explorer 6, 7, 8, and 9. Internet Explorer 8 is supported in IE7 compatibility mode only. Internet Explorer 9 is not supported in compatibility mode.
  • Safari (latest)
  • Chrome (latest)

You should also make sure you have the latest version of Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, see "Advanced charting options" in the Developing Dashboards, Views, and Apps for Splunk Web manual.

Recommended hardware

Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment; this hardware should meet or exceed the recommended hardware capacity specifications below.

For a discussion of hardware planning for production deployment, check out the topic on capacity planning in this manual.

Splunk and virtual machines

Running Splunk in a virtual machine (VM) on any platform will degrade performance. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system can draw from as needed. Splunk needs sustained access to a number of resources, particularly disk resources for indexing operations, which can cause problems when running it in a VM, or alongside other VMs.

Recommended and minimum hardware capacity

Platform Recommended hardware capacity/configuration Minimum supported hardware capacity
Non-Windows platforms 2x quad-core Xeon, 3GHz, 8GB RAM, RAID 1+0 or 0, with a 64 bit OS installed. 1x1.4 GHz CPU, 1 GB RAM
Windows platforms 2x quad-core Xeon, 3GHz, 8GB RAM, RAID 1+0 or 0, with a 64 bit OS installed. Pentium 4 or equivalent at 2Ghz, 2GB RAM

Note: Be certain that your data reliability needs are met by a RAID 0 configuration before deploying a Splunk indexer on RAID 0.

  • All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
  • The minimum supported hardware guidelines are designed for personal use of Splunk.

Important: For all installations, including forwarders, a minimum of 2GB hard disk space for your Splunk installation is required in addition to the space required for your indexes, if any. Refer to this topic on estimating your index size requirements in this manual for some planning information.

Hardware requirements for universal and light forwarders

Recommended Dual Core 1.5Ghz+ processor, 1GB+ RAM
Minimum 1.0 Ghz processor, 512MB RAM

Supported file systems

Platform File systems
Linux ext2/3/4, reiser3, XFS, NFS 3/4
Solaris UFS, ZFS, VXFS, NFS 3/4
FreeBSD FFS, UFS, NFS 3/4
Mac OS X HFS, NFS 3/4
AIX JFS, JFS2, NFS 3/4
HP-UX VXFS, NFS 3/4
Windows NTFS, FAT32

Note: If you run Splunk on a filesystem that is not listed above, Splunk may run a startup utility named locktest to test the viability of a filesystem for running Splunk. Locktest is a program that tests the start up process. If locktest runs and fails, the filesystem is not suitable for running Splunk.

Considerations regarding File Descriptors (FDs)

Splunk will allocate file descriptors for actively monitored files, forwarder connections, deployment clients, users running searches, and so on. Usually, the default ulimit on an OS is 1024. Your Splunk administrator should determine the correct level, but it should be at least 8192 or more. Even if Splunk allocates just a single file descriptor for each of the activities above, it’s easy to see how a few hundred files being monitored, a few hundred forwarders sending data, a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting.

The more tasks your Splunk instance is doing, the more FDs it will need, so you should increase the ulimit value if you start to see your instance run into problems with low FD limits.

Considerations regarding NFS

NFS is usually a poor choice for Splunk indexing activity, for reasons of performance, resilience, and semantics. In environments with very high bandwidth, very low latency links, that are kept highly reliable, it can be an appropriate choice. Typically, this is a SAN (Storage Area Network) accessed via the NFS protocol, an unusual choice for SANs but sometimes done.

"Soft" NFS mounts are not supported. Only "hard" NFS mounts can be reliable with Splunk.

Attribute caching should not be disabled. If you have other applications which require disabling or reducing attribute caching, a seperate mount with attribute caching enabled should be provided to Splunk.

Note: On FreeBSD, mounting as nullfs is not supported.

Considerations regarding solid state drives

Solid state drives (SSDs) gain most of their performance through read operations. Splunk relies on fast disk write performance in order to index data with low latency. SSDs do not provide a significant write-speed advantage in Splunk over fast conventional hard drives.

Supported server hardware architectures

32 and 64-bit architectures are supported for some platforms. See the download page page for details.

Unix/Linux file system permissions

The user Splunk runs as should have full permission to $SPLUNK_HOME and $SPLUNK_DB directories. Avoid changing the default umask for the user running Splunk. This can result in permission issues.

PREVIOUS
What's in the Installation Manual
  NEXT
Components of a Splunk deployment

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters