- Unix operating systems
- Windows operating systems
- Operating system notes and additional information
- Deprecated operating systems and features
- Creating and editing configuration files on non-UTF-8 OSes
- IPv6 platform support
- Splunk and virtual machines
- Recommended and minimum hardware capacity
- Hardware requirements for universal and light forwarders
- Considerations regarding file descriptors (FDs) on *nix systems
- Considerations regarding Network File System (NFS)
- Considerations regarding solid state drives
Before you download and install the Splunk software, read this topic to learn which computing environments Splunk supports.
For a discussion of hardware planning for deployment, review "Hardware capacity planning for your Splunk deployment" in this manual.
Important: Read the following tables carefully when researching the system requirements. Splunk availability has changed significantly from previous versions.
The tables below list the computing platforms that Splunk is available for.
To find out whether or not Splunk is available for your platform:
1. Find the operating system you wish to install Splunk on in the left column.
2. Then, read across to find the appropriate computing architecture in the center column that best matches your environment.
The tables show availability for two different types of Splunk, as shown in the two columns on the right: Splunk Enterprise/Trial, and Splunk Universal Forwarder. An 'x' in the box that intersects your computing platform and desired Splunk type means that Splunk is available for that platform. An empty box means that Splunk is not available for that platform.
Some boxes have characters in addition to - or instead of - an 'x'. Refer to the bottom of the tables to find out what the additional characters represent.
Unix operating systems
|Operating system||Architecture||Enterprise / Trial||Universal Forwarder|
|Solaris 8* and 9||x86 (64-bit)||x|
|Solaris 10 and 11*||x86 (64-bit)||x*||x*|
|Linux, 2.4+ with Native POSIX Thread Library||x86 (64-bit)|
|Linux, 2.6+||x86 (64-bit)||x||x|
|Linux, 3.0+||x86 (64-bit)||x||x|
|FreeBSD 7** and 8||x86 (64-bit)||x||x|
|Mac OS X 10.7 and 10.8||Intel||x||x|
|AIX 6.1 and 7.1||PowerPC||x||x|
|HP/UX† 11i v2 and 11i v3||Itanium||x||x|
* Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does not support 32-bit Splunk installs.
** Be sure to read important notes on FreeBSD 7 below.
† You must use gnu
tar to unpack the HP/UX installation archive.
Windows operating systems
The table below lists the Windows computing platforms that Splunk is available for.
|Operating system||Architecture||Enterprise / Trial||Universal Forwarder|
|Windows Server 2003 and Server 2003 R2||x86 (64-bit)||x||x|
|Windows Server 2008 and Server 2008 R2||x86 (64-bit)||x||x|
|Windows Server 2012||x86 (64-bit)||x||x|
|Windows XP||x86 (64-bit)||x|
|Windows Vista||x86 (64-bit)||¶||x|
|Windows 7||x86 (64-bit)||x||x|
|Windows 8||x86 (64-bit)||x||x|
*** This version of Splunk is supported but is not recommended on this platform and architecture.
¶ Splunk Enterprise is not available on this platform. However, Splunk Trial and Splunk Universal Forwarder are available.
Operating system notes and additional information
Certain parts of Splunk on Windows require elevated user permissions to function properly. For additional information about what is required, read the following topics:
- "Splunk architecture and processes" in this manual.
- "Choose the user Splunk should run as" in this manual.
- "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual.
To run Splunk 6.x on 32-bit FreeBSD 7.x, install the
compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x.
For more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.
Deprecated operating systems and features
As we continue to version the Splunk product, we gradually deprecate support of older operating systems. Be sure to read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.
Creating and editing configuration files on non-UTF-8 OSes
Splunk expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then you must ensure that the editor you are using is configured to save in ASCII/UTF-8.
IPv6 platform support
All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:
- HP/UX on PA-RISC architecture
- Solaris 9
Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.
Splunk supports the following browsers:
- Firefox 10.x and latest
- Internet Explorer 7, 8, 9, and 10
- Safari (latest)
- Chrome (latest)
You should also make sure you have the latest version of Adobe Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, see "About JSChart" in the Splunk Data Visualizations Manual.
Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.
For a discussion of hardware planning for production deployment, see "Hardware capacity planning for your Splunk deployment" in this manual.
Splunk and virtual machines
If you run Splunk in a virtual machine (VM) on any platform, performance does degrade. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance.
Recommended and minimum hardware capacity
|Platform||Recommended hardware capacity/configuration||Minimum supported hardware capacity|
|Non-Windows platforms||2x six-core, 2+ GHz CPU, 12 GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed.||1x1.4 GHz CPU, 1 GB RAM|
|Windows platforms||2x six-core, 2+ GHz CPU, 12 GB RAM, RAID 0 or 1+0, with a 64 bit OS installed.||Pentium 4 or equivalent at 2 GHz, 2 GB RAM|
Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.
- All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
- The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher.
Important: For all installations, including forwarders, you must have a minimum of 5 GB of hard disk space available in addition to the space required for any indexes. Refer to "Estimate your storage requirements" in this manual for additional information.
Hardware requirements for universal and light forwarders
|Recommended||Dual-core 1.5 GHz+ processor, 1 GB+ RAM|
|Minimum||1.0 Ghz processor, 512 MB RAM|
Supported file systems
|Linux||ext2/3/4, reiser3, XFS, NFS 3/4|
|Solaris||UFS, ZFS, VXFS, NFS 3/4|
|FreeBSD||FFS, UFS, NFS 3/4, ZFS|
|Mac OS X||HFS, NFS 3/4|
|AIX||JFS, JFS2, NFS 3/4|
|HP-UX||VXFS, NFS 3/4|
Note: If you run Splunk on a filesystem that is not listed above, Splunk might run a startup utility named
locktest to test the viability of a filesystem for running Splunk.
Locktest is a program that tests the start up process. If
locktest runs and fails, then the filesystem is not suitable for running Splunk.
Considerations regarding file descriptors (FDs) on *nix systems
Splunk allocates file descriptors on *nix systems for actively monitored files, forwarder connections, deployment clients, users running searches, and so on.
Usually, the default file descriptor limit (controlled by the
ulimit command on a *nix-based OS) is 1024. Your Splunk administrator should determine the correct level, but it should be at least 8192. Even if Splunk allocates just a single file descriptor for each of the activities above, it’s easy to see how a few hundred files being monitored, a few hundred forwarders sending data, a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting.
The more tasks your Splunk instance is doing, the more FDs it will need, so you should increase the ulimit value if you start to see your instance run into problems with low FD limits.
For more information, read about ulimit in the Troubleshooting Manual.
This consideration is not applicable to Windows-based systems.
Considerations regarding Network File System (NFS)
When choosing to use Network File System (NFS) as a storage medium for Splunk indexing, it is important to consider all of the ramifications of file level storage.
Splunk strongly recommends that you use block level storage rather than file level storage for indexing your data.
In environments with reliable, very high-bandwidth low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who plan to choose this strategy should work closely with their hardware vendor to confirm that the storage platform they choose performs to the desired specification in terms of both performance and data integrity.
If you choose to use NFS, note the following caveats:
- Splunk does not support "soft" NFS mounts (mounts which cause a program attempting a file operation on the mount to report an error and continue in case of a failure).
- Only "hard" NFS mounts - mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk.
- Do not disable attribute caching. If you have other applications which require disabling or reducing attribute caching, then you must provide Splunk a separate mount with attribute caching enabled.
- Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can potentially lead to data loss.
Considerations regarding solid state drives
Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.
Considerations regarding transparent huge memory pages and Splunk performance
Some distributions of Unix and Linux (for example, Red Hat/CentOS and Ubuntu) have an advanced memory management scheme called Transparent Huge Pages (THP). THP allows administrators to abstract and automate the creation, management, and usage of huge memory pages, as handled by a CPU's memory management unit (MMU). Every CPU in a system has an MMU which manages memory in pages, and huge pages are structures that allow MMUs to manage multiple gigabytes and terabytes of memory more easily.
THP, however, causes problems for Splunk in some cases. When enabled, THP can significantly degrade Splunk I/O performance because of the way that it handles huge memory pages. On systems with THP enabled, we have observed a minimum of a 30% reduction in indexing and search performance, with a similar percentage increase in latency. We strongly recommend that you disable THP in your *nix system's configuration unless that system runs an application that requires THP.
Refer to this Oracle blog for more background on the issue, and to your *nix distribution's documentation on memory management for specifics on how to disable the setting.
Supported server hardware architectures
32 and 64-bit architectures are supported for some platforms. See the download page for details.
This documentation applies to the following versions of Splunk: 6.0