Install on Linux
Install on Linux
You can install Splunk on Linux using RPM or DEB packages, or a tar file.
Note: If you want to install the Splunk universal forwarder, see the Distributed Deployment manual: "Universal forwarder deployment overview". Unlike Splunk heavy and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving".
If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.
RedHat RPM install
To install the Splunk RPM in the default directory
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
To upgrade an existing Splunk installation that resides in /opt/splunk using the RPM:
rpm -U splunk_package_name.rpm
To upgrade an existing Splunk installation that was done in a different directory, use the
rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm
Note: If you do not specify with
--prefix for your existing directory, rpm will install in the default location of
For example, to upgrade to the existing directory of
$SPLUNK_HOME=/opt/apps/splunk enter the following:
rpm -U --prefix=/opt/apps splunk_package_name.rpm
If you want to automate your RPM install with kickstart, add the following to your kickstart file:
./splunk start --accept-license ./splunk enable boot-start
Note: The second line is optional for the kickstart file.
Debian DEB install
To install the Splunk DEB package:
dpkg -i splunk_package_name.deb
Note: You can only install the Splunk DEB package in the default location,
Tar file install
To install Splunk on a Linux system, expand the tarball into an appropriate directory using the
tar xvzf splunk_package_name.tgz
The default install directory is
splunk in the current working directory. To install into
/opt/splunk, use the following command:
tar xvzf splunk_package_name.tgz -C /opt
Note: When you install Splunk with a tarball:
- Some non-GNU versions of
tarmight not have the
-Cargument available. In this case, if you want to install in
/optor place the tarball in
/optbefore running the
tarcommand. This method will work for any accessible directory on your machine's filesystem.
- Splunk does not create the
splunkuser automatically. If you want Splunk to run as a specific user, you must create the user manually before installing.
- Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
What gets installed
Splunk package status:
dpkg --status splunk
List all packages:
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.
To start Splunk from the command line interface, run the following command from
$SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):
By convention, this document uses:
$SPLUNK_HOMEto identify the path to your Splunk installation.
$SPLUNK_HOME/bin/to indicate the location of the command line interface.
The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the
Launch Splunk Web and log in
After you start Splunk and accept the license agreement,
1. In a browser window, access Splunk Web at
hostnameis the host machine.
portis the port you specified during the installation (the default port is 8000).
2. Splunk Web prompts you for login information (default, username
admin and password
changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.
Now that you've installed Splunk, what comes next?
To uninstall from RedHat Linux
rpm -e splunk_product_name
To uninstall from Debian Linux:
dpkg -r splunk
To purge (delete everything, including configuration files):
dpkg -P splunk