Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Start Splunk Enterprise for the first time

Before you begin using your new Splunk Enterprise upgrade or installation, take a few moments to make sure that the software and your data are secure. For more information, see Hardening Standards in the Securing Splunk Enterprise manual.

On Windows

You can start Splunk Enterprise on Windows using either the command line, or the Services control panel. Using the command line offers more options.

From a command prompt or PowerShell window, run the following commands:

cd <Splunk Enterprise installation directory>\bin
splunk start

(For Windows users: in subsequent examples and information, replace $SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in the default location. You can also add %SPLUNK_HOME% as a system-wide environment variable by using the Advanced tab in the System Properties dialog box.)

On UNIX

Use the Splunk Enterprise command-line interface (CLI):

cd <Splunk Enterprise installation directory>/bin
./splunk start

Splunk Enterprise then displays the license agreement and prompts you to accept before the startup sequence continues.

You can optionally set the SPLUNK_HOME environment variable to the Splunk Enterprise installation directory so that you can start the software as follows:

export SPLUNK_HOME=<Splunk Enterprise installation directory>
cd $SPLUNK_HOME/bin
./splunk start

Setting the environment variable lets you refer to the installation directory later without having to remember its exact location.

On Mac OS X

Start Splunk Enterprise from the Finder

  1. Double-click the Splunk icon on the Desktop to launch the helper application, entitled "Splunk's Little Helper".
  2. Click OK to allow Splunk to initialize and set up the trial license.
  3. (Optional) Click Start and Show Splunk to start Splunk Enterprise and direct your web browser to open a page to Splunk Web.
  4. (Optional) Click Only Start Splunk to start Splunk Enterprise, but not open Splunk Web in a browser.
  5. (Optional) Click Cancel to quit the helper application. This does not affect the Splunk Enterprise instance itself, only the helper application.

After you make your choice, the helper application performs the requested application and terminates. You can run the helper application again to either show Splunk Web or stop Splunk Enterprise.

The helper application can also be used to stop Splunk Enterprise if it is already running.

Start Splunk Enterprise from the command line

On macOS, the default Splunk Enterprise installation directory is /Applications/splunk.

cd <Splunk Enterprise installation directory>/bin
./splunk start

If the default management and Splunk Web ports are already in use (or are otherwise not available), Splunk Enterprise offers to use the next available ports. You can either accept this option or specify a port to use.

Other start options

To accept the license automatically when you start Splunk Enterprise for the first time, add the accept-license option to the start command:

$SPLUNK_HOME/bin/splunk start --accept-license

The startup sequence displays:

Splunk> All batbelt. No tights.

Checking prerequisites...
	Checking http port [8000]: open
	Checking mgmt port [8089]: open
	Checking appserver port [127.0.0.1:8065]: open
	Checking kvstore port [8191]: open
	Checking configuration...  Done.
	Checking critical directories...	Done
	Checking indexes...
		Validated: _audit _blocksignature _internal _introspection _thefishbucket history main msad msexchange perfmon sf_food_health sos sos_summary_daily summary windows wineventlog winevents
	Done
	Checking filesystem compatibility...  Done
	Checking conf files for problems...
	Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done
                                                           [  OK  ]

Waiting for web server at http://127.0.0.1:8000 to be available... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://localhost:8000

There are two other start options: no-prompt and answer-yes:

  • If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk Enterprise proceeds with startup until it requires you to answer a question. Then, it displays the question, why it is quitting, and quits.
  • If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk Enterprise proceeds with startup and automatically answers "yes" to all yes/no questions. It displays the question and answer as it continues.

If you run start with all three options in one line, for example:

$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license
  • Splunk does not ask you to accept the license.
  • Splunk answers yes to any yes/no question.
  • Splunk quits when it encounters a non-yes/no question.

Change where and how Splunk Enterprise starts

To learn how to change system environment variables that control how Splunk Enterprise starts and operates, see "Set or change environment variables" in the Admin manual.

Launch Splunk Web

With a supported web browser, navigate to:

http://<host name or ip address>:8000

Use whatever host and port you chose during installation.

The first time you log in to Splunk Enterprise, the default login details are:
Username - admin
Password - changeme

PREVIOUS
Run Splunk Enterprise as a different or non-root user
  NEXT
What happens next?

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5


Comments

Kasey and Cderonda, this is likely an incompatibility between Splunk Enterprise 7.0 and macOS High Sierra. The changes in file system introduced with High Sierra cause validation checks to fail during Splunk Enterprise startup. We are working on documentation for the workaround and also on a fix in a future release.

Andrewb splunk, Splunker
March 27, 2018

I am seeing the same issue that Cderonda posted about on 3/17

Validating databases (splunkd validatedb) failed with code '1'

Kasey Matthews@intuit.com
March 27, 2018

Hi,
Could someone tell me what a "1" fail code is? I'm in the Module 3 Lab for the Fundamentals One training course and can't get the software to start. I installed 7.0.2 for Mac OS. Below is a paste of the terminal window.
Thank you,
Chris

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
homePath='/Applications/Splunk/var/lib/splunk/audit/db' of index=_audit on unusable filesystem.
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue

Cderonda
March 17, 2018

Hi Smamdani,

The "Splunk's Little Helper" application only comes with Splunk Enterprise. On the universal forwarder, there is no helper application to defeat. It installs and runs from the command line, like on other versions of *nix.

Malmoore, Splunker
August 16, 2017

How do you hide the "Splunk's little helper" dialog box when remotely deploying the forwarder to an endpoint?

Smamdani
August 13, 2017

Hi Ramamamidi,

It appears that an error occurred when Splunk software tried to create this file. Are you running it as a user with administrative privileges, or at least Full Control privileges to the system drive?

Malmoore, Splunker
July 12, 2017

Failed to open splunk.secret 'C:\Program Files\Splunk\etc\auth\splunk.secret' file. Some passwords will not work. errno=Access is denied.
Unable to read 'C:\Program Files\Splunk\etc\auth\splunk.secret' file.
getting this error while trying to start using cmd prompt.

Ramamamidi
June 26, 2017

System: Mac OSX 10.11
On downloading/ unzipping/ untaring Splunk and running
> cd splunk/bin ; ./splunk start
it goes well almost until the end and then I see two errors (configuration and web server port 8000 errors). Please see output snippet below for more details.
Note: BTW, port 8000 is not in use.
> netstat -a | grep 8000
[NONE]

---- Output snippet -----
Getting CA Private Key
writing RSA key
Configuration error: The environment variable SPLUNK_ETC must point to an existing path.
Done

Waiting for web server at http://127.0.0.1:8000 to be available............................................................................................................................................................................................................................................................................................................
WARNING: web interface does not seem to be available!

Tamasheeg
March 4, 2017

Hi Yoogesh,

What happens when you start it without that argument? If you have a good download, you should not get that messages.

Try downloading the package again. Make sure you download it for the correct OS and architecture for your computing platform.

Malmoore, Splunker
July 21, 2016

I have downloaded Splunk En 6.4.2 and trying to install with splunk start "--accept-license" ; it is giving me Invalid argument.

Yoogesh
July 20, 2016

Hi Sukrundo,

There is a link from this topic to the following topic which gives specific instructions on setting the environment variable: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Changedefaultvalues#Set_or_change_environment_variables

Malmoore, Splunker
May 6, 2016

where do you set $SPLUNK_HOME for linux environments ?

Sukrundo
May 6, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters