System requirements for use of Splunk Enterprise on-premises
Splunk supports using Splunk Enterprise and the universal forwarder on several computing environments. Learn about the computing environments that Splunk supports before you download the software.
The universal forwarder has its own set of hardware requirements. See them at Computer hardware requirements in the Universal Forwarder Manual, then review this page for the software requirements.
If you have ideas or requests for new features for the Splunk platform, use the Splunk Ideas portal to search for, vote on, and request new enhancements, called ideas, for any of the Splunk solutions. To submit an idea, access the portal at https://ideas.splunk.com and log in with your Splunk.com username and password.
Supported Operating Systems
The following tables list the computing platforms for which Splunk Enterprise and the universal forwarder have support. The first table lists availability for *nix operating systems, the second lists availability for Windows operating systems, and the third lists availability for Darwin (Mac) operating systems.
The information on operating system support in this topic is accurate as of the release date of the minor version that appears in the version drop-down list on this page. Vendors might later end mainstream support for operating systems, and Splunk does not retroactively update the information here to account for such changes. See Splunk Support Policy for more information.
Each table shows available operating systems, computing architectures, and types of Splunk software. A bold X in a box that intersects the computing platform and Splunk software type you want means that Splunk software is available for that platform and type.
An empty box means that Splunk software is not available for that platform and type.
If you do not see the operating system or architecture that you are looking for in the list, then the software is not available for that platform or architecture. This might mean that Splunk has either ended or not yet started support for that platform. See the list of deprecated and removed computing platforms in Deprecated Features in the Release Notes.
Some boxes contain characters other than a bold X. See the bottom of each table to learn what the characters mean and how that could affect your installation.
Confirm support for your computing platform
- Find the operating system on which you want to install Splunk Enterprise in the Operating system column.
- Find the computing architecture in the Architecture column that matches your environment.
- Find the type of Splunk software that you want to use: Splunk Enterprise, Splunk Free, Splunk Trial, or Splunk Universal Forwarder.
- If Splunk software is available for the computing platform and software type that you want, proceed to the download page to get the software.
Unix operating systems
The table lists the Unix/Linux computing platforms that Splunk Enterprise supports. This list represents the operating systems that Splunk has tested. The ARM architecture is not supported for use with Splunk Enterprise at this time. Universal Forwarder ARM support is detailed in the following tables.
Distribution Name | Architecture | Enterprise License | Free License | Trial License | Developer License | Universal Forwarder package |
---|---|---|---|---|---|---|
RHEL 8 | x86 (64-bit) | X | X | X | X | X |
RHEL 9 | x86 (64-bit) | X | X | X | X | X |
RHEL 8 | PPCLE | X | ||||
RHEL 8 | s390x | X | ||||
RHEL 8 | ARM (64-bit) | X | ||||
Ubuntu 20.04 | x86 (64-bit) | D | D | D | D | D |
Ubuntu 22.04 | x86 (64-bit) | X | X | X | X | X |
Ubuntu 24.04 | x86 (64-bit) | X | X | X | X | X |
Amazon Linux 2 | x86 (64-bit) | D | D | D | D | D |
Amazon Linux 2023 | x86 (64-bit) | X | X | X | X | X |
Amazon Linux 2 | ARM (64-bit) | D | ||||
Amazon Linux 2023 | ARM (64-bit) | X | ||||
Rocky Linux/Alma Linux 8 | x86 (64-bit) | X | X | X | X | X |
Rocky Linux/Alma Linux 9 | x86 (64-bit) | X | X | X | X | X |
SLES 15 SP6 | x86 (64-bit) | X | X | X | X | X |
Debian 11 | x86 (64-bit) | X | X | X | X | X |
Debian 12 | x86 (64-bit) | X | X | X | X | X |
Solaris 11.4 | x86 (64-bit) | X | ||||
Solaris 11.4 | SPARC | X | ||||
Oracle Linux 8 | x86 (64-bit) | X | X | X | X | X |
Oracle Linux 9 | x86 (64-bit) | X | X | X | X | X |
FreeBSD 13 | x86 (64-bit) | X | ||||
FreeBSD 14 | x86 (64-bit) | X | ||||
AIX 7.2 | x86 (64-bit) | X | ||||
AIX 7.3 | x86 (64-bit) | X | ||||
raspi4 Ubuntu 20.04 | ARM (64-bit) | D |
X: Splunk software is available for the platform.
D: Splunk supports this platform and architecture, but might remove support in a future release. See Deprecated Features in the Release Notes for information on deprecation.
An empty box indicates software is not supported for this platform.
Windows operating systems
The table lists the Windows computing platforms that Splunk Enterprise and Universal Forwarder supports. The ARM Architecture is not supported on Splunk Enterprise and Universal Forwarder.
Distribution Name | Architecture | Enterprise License | Free License | Trial License | Developer License | Universal Forwarder package |
---|---|---|---|---|---|---|
Windows Server 2019 | x86 (64-bit) | X | X | X | X | X |
Windows Server 2022 | x86 (64-bit) | X | X | X | X | X |
Windows 11 | x86 (64-bit) | X | ||||
Windows 10 | x86 (64-bit) | X | ||||
Windows 10 | x86 (32-bit) | X |
X: Splunk software is available for the platform.
An empty box indicates software is not supported for this platform.
Mac operating systems
The table lists the Darwin computing platforms that Splunk Enterprise and Universal Forwarder supports. The M1/ARM Architecture is not supported on Splunk Enterprise.
Distribution Name | Architecture | Enterprise License | Free License | Trial License | Developer License | Universal Forwarder package |
---|---|---|---|---|---|---|
MacOS13 | x86 (64-bit) | X | X | |||
MacOS14 | x86 (64-bit) | X | X | |||
MacOS13 | ARM (Universal2) | X | ||||
MacOS14 | ARM (Universal2) | X |
X: Splunk software is available for the platform.
An empty box indicates software is not supported for this platform.
CPU architectures
Splunk software requires a CPU processor that supports the x86-64-v2 (Intel/AMD) or NEON (ARM) architecture. Most modern processors manufactured after 2008 include this support. Support for the use of processors that do not meet this requirement is deprecated in Splunk Enterprise 9.3. Support for the use of processors that do not meet this requirement will be removed in the next major or minor version of Splunk Enterprise after version 9.3.
This CPU requirement and the notice of deprecation does not apply to the Universal Forwarder package.
For definitions of deprecated and removed, see Deprecated and removed in version 9.3. For definitions of major and minor versions, see Splunk Support Policy.
Containerized computing platforms
The official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images can be found at Splunk-Docker on GitHub. The list of requirements for Docker and Splunk software is available in the Support Guidelines on the Splunk-Docker GitHub.
For container orchestration, the Splunk Operator for Kubernetes on GitHub lets you quickly and easily deploy Splunk Enterprise on your choice of private or public cloud provider. The operator simplifies scaling and management of Splunk Enterprise by automating workflows while implementing Kubernetes best practices.
Splunk Enterprise architecture support | Product |
---|---|
A single instance Splunk Enterprise deployment. | Splunk-Docker on GitHub |
A distributed or single instance Splunk Enterprise deployment. | Splunk Operator for Kubernetes on GitHub |
Operating system notes
Windows
Some parts of Splunk Enterprise on Windows require elevated user permissions to function properly. See the following topics for information on the components that require elevated permissions and how to configure Splunk Enterprise on Windows:
- Splunk Enterprise architecture and processes
- Choose the Windows user Splunk Enterprise should run as
- Considerations for deciding how to monitor remote Windows data in Getting Data In
Operating systems that support the Monitoring Console
The Splunk Enterprise Monitoring Console works only on some versions of Linux and Windows. For information on supported platform architectures for the Monitoring Console, see Supported platforms in the Troubleshooting Manual. To learn about the other prerequisites for the Monitoring Console, see Monitoring Console setup prerequisites in Monitoring Splunk Enterprise.
Deprecated operating systems and features
As we update Splunk software, we sometimes deprecate and remove support of older operating systems. See Deprecated features in the Release Notes for information on which platforms and features have been deprecated or removed entirely.
Creating and editing configuration files on OSes that do not use UTF-8 character set encoding
Splunk software expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then ensure that the editor you use can save in either the ASCII or UTF-8 formats.
IPv6 networking support
All Splunk-supported OS platforms can use IPv6 network configurations.
See Configure Splunk Enterprise for IPv6 in the Admin Manual for details on IPv6 support in Splunk Enterprise.
Supported browsers
Splunk Enterprise supports the following browsers:
- Firefox (latest)
- Safari (latest)
- Chrome (latest)
- Microsoft Edge (latest)
Recommended hardware
To evaluate Splunk Enterprise for a production deployment, use hardware that is typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications. See Reference hardware in the Capacity Planning Manual.
For a discussion of hardware planning for production deployment, see Introduction to capacity planning for Splunk Enterprise in the Capacity Planning Manual.
Splunk Enterprise and virtual machines
If you run Splunk Enterprise in a virtual machine (VM) on any platform, performance decreases. This is because virtualization works by providing hardware abstraction on a machine into pools of resources. VMs that you define on the system draw from these resource pools. Splunk Enterprise needs sustained access to a number of resources, particularly disk I/O, for indexing operations. If you run Splunk Enterprise in a VM or alongside other VMs, indexing and search performance can degrade.
Splunk Enterprise and containerized infrastructures
A containerized deployment must provide hardware resources that meet or exceed the recommended hardware capacity for Splunk Enterprise deployments. See Containerized computing platforms.
Recommended hardware capacity
For information on hardware requirements for production deployments, see Reference hardware in the Capacity Planning Manual.
Hardware requirements for universal forwarders
The universal forwarder has its own set of hardware requirements. See Universal forwarder prerequisites in the Universal Forwarder manual.
Supported file systems and distributed file system protocols
The following table lists the file systems and distributed file system protocols that Splunk Enterprise supports for storing index data.
If you run Splunk Enterprise on a file system that does not appear in this table, the software might run a startup utility named locktest
to test the viability of the file system. If the locktest
utility fails on the target file system or protocol, then that file system or protocol is not suitable for use with Splunk Enterprise.
Platform | File systems |
---|---|
Linux | ext3, ext4, btrfs, XFS, NFS 3/4 (C) |
Solaris (universal forwarder only) | UFS, ZFS, VXFS, NFS 3/4 (C) |
FreeBSD (universal forwarder only) | FFS, UFS, ZFS, NFS 3/4 (C) |
macOS (universal forwarder only) | HFS, APFS, NFS 3/4 (C) |
AIX (universal forwarder only) | JFS, JFS2, NFS 3/4 (C) |
Windows | NTFS, FAT32, CIFS (D), SMB (D) |
(C) See "Considerations regarding Network File System (NFS)" later in this topic for information on the limitations for storing index buckets on the NFS protocol.
(D) See "Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)" later in this topic for information on the limitations for storing index buckets on the CIFS and SMB protocols on Windows.
Considerations regarding Network File System (NFS)
When you use Network File System (NFS) as a storage medium for Splunk indexing, consider all of the ramifications of file level storage. Use block level storage rather than file level storage for indexing your data.
In environments with reliable, high-bandwidth, low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. If you choose this strategy, work with your NFS vendor to confirm that their storage platform operates to the vendor specification in terms of performance, feature support, and data integrity.
Follow these guidelines if you want to use NFS to store Splunk Enterprise index data:
- Do not use NFS to host hot or warm index buckets. Splunk Enterprise supports only the storage of cold or frozen buckets on NFS.
- Do not use NFS to share cold or frozen index buckets amongst an indexer cluster, as this potentially creates a single point of failure.
- Splunk Enterprise does not support "soft" NFS mounts. These are mounts that cause a program that attempts a file operation on the mount to report an error and continue in case of a failure.
- Only "hard" NFS mounts, where the client continues to attempt to contact the server in case of a failure, are reliable with Splunk Enterprise.
- Additionally, the implementation of NFS that you use must support hard file system object (FSO) links, where one object links to another and both the object and its link share the same file system index node, or inode number. Hard FSO links are colloquially known as "hard links" and differ significantly from hard NFS mounts. Some NFS implementations do not support them. Confirm support with your vendor prior to using Splunk Enterprise to store index data with their version of NFS.
- Do not disable NFS attribute caching. If you use other applications that requires disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate NFS mount with attribute caching enabled.
- Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.
Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)
Splunk Enterprise supports the use of the CIFS and SMB protocols for the following purposes, on shares hosted by Windows machines only:
- Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, confirm that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.
Do not index data to a mapped network drive on Windows (for example "Y:\
" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.
Considerations regarding system-wide resource limits on *nix systems
Splunk Enterprise allocates system-wide resources like file descriptors and user processes on *nix systems for monitoring, forwarding, deploying, and searching. The ulimit
command controls access to these resources which must be tuned to acceptable levels for Splunk Enterprise to perform adequately on *nix systems.
The more tasks your Splunk Enterprise instance performs, the more resources it needs. You should increase the ulimit
values if you start to see your instance run into problems with low resource limits. See I get errors about ulimit in splunkd.log in the Troubleshooting Manual.
The following table shows the system-wide resources that Splunk Enterprise uses. It provides the minimum recommended settings for these resources for instances that are not forwarders, such as indexers, search heads, cluster manager, license manager, deployment servers, and Monitoring Consoles (MC).
System-wide Resource | ulimit invocation | Minimum recommended value |
---|---|---|
Open files | ulimit -n
|
64000 |
User processes | ulimit -u
|
16000 |
Data segment size | ulimit -d
|
The maximum RAM you want Splunk Enterprise to allocate in kilobytes. For example, 8GB is 8000000 .
|
File size | ulimit -f
|
-1 A setting of -1 sets the file size to unlimited.
|
On machines that run Linux where Splunk Enterprise services are managed by systemd, you can update the /etc/systemd/system/Splunkd.service
unit file to set the values shown in the table below. Review the values and adjust them depending on the machine resources available.
System-wide Resource | systemd unit file parameter | Minimum recommended value |
---|---|---|
Open files | LimitNOFILE=
|
64000 |
User processes | LimitNPROC=
|
16000 |
Data segment size | LimitDATA=
|
The maximum RAM you want Splunk Enterprise to allocate in bytes. For example, 8GB is 8000000000 .
|
File size | LimitFSIZE=
|
infinity A setting of "infinity" sets the file size to unlimited.
|
Total threads | TasksMax=
|
The maximum number of tasks that a service can create. This setting aligns with the user process limit LimitNPROC and the value can be set to match. For example, 16000 .
|
On machines that run FreeBSD, you might need to increase the kernel parameters for default and maximum process stack size. The following table shows the parameters that must be present in /boot/loader.conf
on the host.
System-wide Resource | Kernel parameter | Recommended value |
---|---|---|
Default process data size (soft limit) | dfldsiz
|
2147483648 |
Maximum process data size (hard limit) | maxdsiz
|
2147483648 |
On machines that run AIX, you might need to increase the systemwide resource limits for maximum file size (fsize) and resident memory size (rss). The following table shows the parameters that must be present in /etc/security/limits
for the user that runs Splunk software.
System-wide Resource | ulimit invocation | Recommended value |
---|---|---|
Data segment size | ulimit -d
|
1073741824 |
Resident memory size | ulimit -m
|
536870912 |
Number of open files | ulimit -n
|
8192 |
File size limit | ulimit -f
|
-1 (unlimited)
|
This consideration is not applicable to Windows-based systems.
Considerations regarding environments that use the transparent huge pages memory management scheme
If you run Splunk Enterprise on a Unix machine that makes use of transparent huge memory pages, see Transparent huge memory pages and Splunk performance in the Release Notes before you attempt to install Splunk Enterprise.
This consideration is not applicable to Windows operating systems.
Further reading
See the Download Splunk Enterprise page to get the latest available version.
See the release notes for details on known and resolved issues in this release.
See Introduction to Capacity Planning for Splunk Enterprise in the Capacity Planning Manual for information on estimating capacity .
Installation overview | Splunk Enterprise architecture and processes |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0
Feedback submitted, thanks!