Splunk Enterprise

Installation Manual

Download manual as PDF

System requirements

Before you download and install Splunk Enterprise, read this topic to learn about the computing environments that Splunk supports. See the download page for the latest version to download. See the release notes for details on known and resolved issues.

For a discussion of hardware planning for deployment, see the Capacity Planning manual.

If you have ideas or requests for new features to add to future releases, contact Splunk Support. You can also review our product road map.

Supported server hardware architectures

Splunk offers support for 32- and 64-bit architectures on some platforms. See the download page for details.

Supported Operating Systems

The following tables list the available computing platforms for Splunk Enterprise. The first table lists availability for *nix operating systems and the second lists availability for Windows operating systems. Use these tables to determine whether or not Splunk Enterprise is available for your platform.

1. Find the operating system on which you want to install Splunk Enterprise in the left column.

2. Read across the columns to find the computing architecture in the center column that matches your environment.

The tables show availability for several types of Splunk software, as shown in the columns on the right: Splunk Enterprise, Splunk Free, Splunk Trial, and Splunk Universal Forwarder. A '✔' (check mark) in the box that intersects your computing platform and Splunk software type means that Splunk software is available for that platform. An empty box means that Splunk software is not available for that platform. If you do not see your platform or architecture listed, the software is not available for that platform and architecture.

Some boxes have other characters. See the bottom of each table to learn what the characters mean.

Unix operating systems

Operating system Architecture Enterprise Free Trial Universal Forwarder
Solaris 10 and 11* x86 (64-bit)
x86 (32-bit) *
Linux, 2.6+ x86 (64-bit)
x86 (32-bit)
Linux, 3.0+ x86 (64-bit)
x86 (32-bit)
PowerLinux, 2.6+ PowerPC
zLinux, 2.6+ s390x
FreeBSD 8 x86 (64-bit)
x86 (32-bit)
FreeBSD 9 x86 (64-bit)
FreeBSD 10 x86 (64-bit)
Mac OS X 10.9 and 10.10 Intel
AIX 6.1 and 7.1 PowerPC
HP/UX† 11i v2 and 11i v3 Itanium

* Splunk Enterprise is available for Solaris 10. Solaris 11 does not support 32-bit Splunk Enterprise installs.
† You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

The table lists the Windows computing platforms that Splunk Enterprise supports.

Operating system Architecture Enterprise Free Trial Universal Forwarder
Windows Server 2008 x86 (64-bit)
x86 (32-bit) *** *** ***
Windows Server 2008 R2, Server 2012,
and Server 2012 R2
x86 (64-bit)
Windows 7 x86 (64-bit)
x86 (32-bit) *** ***
Windows 8 x86 (64-bit)
x86 (32-bit) *** ***
Windows 8.1 x86 (64-bit)
x86 (32-bit) *** ***
Windows 10 x86 (64-bit)
x86 (32-bit) *** ***

*** Splunk supports but does not recommend using Splunk Enterprise on this platform and architecture.

Operating system notes and additional information


Certain parts of Splunk Enterprise on Windows require elevated user permissions to function properly. See the following topics:

Distributed Management Console (DMC) supported operating systems

The Splunk Enterprise DMC works only on certain versions of Linux, Solaris, and Windows. For specific information on supported platform architectures for DMC, see "Supported platforms" in the Troubleshooting manual. To learn about the other prerequisites that you must satisfy before you run DMC, see "DMC prerequisites" in the Distributed Management Console manual.

Deprecated operating systems and features

As we version the Splunk product, we gradually deprecate support of older operating systems. See "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.

Creating and editing configuration files on OSes that do not use UTF-8 character set encoding

Splunk Enterprise expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then ensure that the editor you use can save in ASCII or UTF-8.

IPv6 platform support

All Splunk-supported OS platforms can use IPv6 network configurations except:

  • AIX
  • HP/UX on PA-RISC architecture

See "Configure Splunk for IPv6" in the Admin Manual for details on IPv6 support in Splunk Enterprise.

Supported browsers

Splunk Enterprise supports the following browsers:

  • Firefox (latest)
  • Internet Explorer† 9¶, 10, and 11
  • Safari (latest)
  • Chrome (latest)

† Do not use Internet Explorer in Compatibility Mode when you access Splunk Web. Splunk Web warns you that there is no support for Internet Explorer version 8 and below. If you must use IE in compatibility mode for other applications, you must still use a browser that Splunk Web supports.

¶ Internet Explorer version 9 does not support file uploads in the "Add Data" page. Use IE version 10 or later to upload files.

Recommended hardware

If you plan to evaluate Splunk Enterprise for a production deployment, use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.

For a discussion of hardware planning for production deployment, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning manual.

Splunk Enterprise and virtual machines

If you run Splunk Enterprise in a virtual machine (VM) on any platform, performance decreases. This is because virtualization works by providing hardware abstraction on a system into pools of resources. VMs that you define on the system draw from these resource pools as needed. Splunk Enterprise needs sustained access to a number of resources, particularly disk I/O, for indexing operations. If you run Splunk Enterprise in a VM or alongside other VMs, indexing and search performance can degrade significantly.

Recommended and minimum hardware capacity

The following requirements are accurate for a single instance installation with light to moderate use. For significant enterprise and distributed deployments, see the Capacity Planning manual.

Platform Recommended hardware capacity/configuration Minimum supported hardware capacity
Non-Windows platforms 2x six-core, 2+ GHz CPU, 12GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed. 1x1.4GHz CPU, 1GB RAM
Windows platforms 2x six-core, 2+ GHz CPU, 12GB RAM, RAID 0 or 1+0, with a 64-bit OS installed. Intel Nehalem CPU or equivalent at 2GHz, 2GB RAM

RAID 0 disk configurations do not provide fault-tolerance. Confirm that a RAID 0 configuration meets your data reliability needs before deploying a Splunk Enterprise indexer on a system configured with RAID 0.

Splunk recommends that you maintain a minimum of 5GB of hard disk space available on any Splunk instance, including forwarders, in addition to the space required for any indexes. See "Estimate your storage requirements" in the Capacity Planning Manual for a procedure on how to estimate the amount of space you need. Failure to maintain this level of free space can result in degraded performance, operating system failure, and data loss.

Hardware requirements for universal and light forwarders

Recommended Dual-core 1.5GHz+ processor, 1GB+ RAM
Minimum 1.0Ghz processor, 512MB RAM

Supported file systems

Platform File systems
Linux ext2, ext3, ext4, btrfs, XFS, NFS 3/4
Solaris UFS, ZFS, VXFS, NFS 3/4
Mac OS X HFS, NFS 3/4
Windows NTFS, FAT32

If you run Splunk Enterprise on a file system that does not appear in this table, the software might run a startup utility named locktest to test the viability of the file system. Locktest is a program that tests the start-up process. If locktest fails, then the file system is not suitable for running Splunk Enterprise.

Considerations regarding file descriptor limits (FDs) on *nix systems

Splunk Enterprise allocates file descriptors on *nix systems for files it monitors, forwarder connections, deployment clients, users that run searches, and so on.

Usually, the default file descriptor limit (controlled by the ulimit -n command on a *nix-based OS) is 1024. Your Splunk administrator determines the correct level, but it should be at least 8192. Even if Splunk Enterprise allocates a single file descriptor for each of the activities, it is easy to see how a few hundred files being monitored, a few hundred forwarders sending data, and a handful of very active users on top of reading and writing to and from the datastore can exhaust the default setting.

The more tasks your Splunk Enterprise instance does, the more FDs it needs. You should increase the ulimit value if you start to see your instance run into problems with low FD limits.

See about ulimit in the Troubleshooting Manual.

This consideration is not applicable to Windows-based systems.

Considerations regarding Network File System (NFS)

When you use Network File System (NFS) as a storage medium for Splunk indexing, consider all of the ramifications of file level storage.

Use block level storage rather than file level storage for indexing your data.

In environments with reliable, high-bandwidth, low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who choose this strategy should work with their hardware vendor to confirm that the storage platform they choose operates to the specification in terms of both performance and data integrity.

If you use NFS, be aware of the following issues:

  • Splunk Enterprise does not support "soft" NFS mounts. These are mounts that cause a program attempting a file operation on the mount to report an error and continue in case of a failure.
  • Only "hard" NFS mounts (mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk Enterprise.
  • Do not disable attribute caching. If you have other applications that require disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate mount with attribute caching enabled.
  • Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.

Considerations regarding solid state drives

Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.

Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)

Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:

When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, ensure that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.

Do not attempt to index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.

Considerations regarding environments that use the transparent huge pages memory management scheme

If you run a Unix environment that makes use of transparent huge memory pages, see "Transparent huge memory pages and Splunk performance" before you attempt to install Splunk Enterprise.

This is not a problem on Windows operating systems.

Installation overview
Splunk Enterprise architecture and processes

This documentation applies to the following versions of Splunk: 6.3.0 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters