Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install on Windows via the command line

This topic describes the procedures for installing Splunk on Windows using the command line.

Note: You can only run one Splunk instance per Windows host.

Important: Running the 32-bit version of Splunk for Windows on a 64-bit platform is not recommended. If you run the 32-bit installer on a 64-bit system, the installer will warn you about this.

If you can run 64-bit Splunk on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

Upgrading?

If you are upgrading, review the upgrade documentation later in this manual and check READ THIS FIRST for any migration considerations before proceeding.

In particular, be aware that changing the management or HTTP port during an upgrade is not supported.

Splunk for Windows and anti-virus software

Splunk's indexing subsystem requires lots of disk I/O bandwidth. Anti-virus software - or any software with a device driver that intermediates between Splunk and the operating system - can rob Splunk of processing power, causing slowness and even an unresponsive system.

It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes, before starting a Splunk installation.

Choose the user Splunk should run as

When you run the Splunk Windows installer, you are given the option to select the user that Splunk will run as.

If you install as the Local System user, Splunk will have access to all or nearly all of the important information on your local machine. However, the Local System user has no privileges on other Windows machines by design.

If you intend to do any of the following things, you must give Splunk a domain account:

  • read Event Logs remotely
  • collect performance counters remotely
  • read network shares for log files
  • enumerate the Active Directory schema using Active Directory monitoring

The domain account you use must also be a member of the local Administrators group. This is particularly important for installation on versions of Windows prior to Windows Server 2008 - failure to give the Splunk account access to the local Administrators group can cause Splunk to fail to function properly.

If you're not sure which account to run Splunk under, speak with your Windows domain administrator about the best way to proceed. If you are the domain administrator, then start off by using an account that has at most the permissions described here, and add rights as needed until you get the results you want.

Important: If you decide to change the user Splunk runs as after you have installed, you must ensure that the new user has the necessary resource access rights, and Full Control permissions to the entire %SPLUNK_HOME% directory.

Managed service accounts on Windows Server 2008 and Windows 7

If you run WIndows Server 2008, Windows Server 2008 R2 or Windows 7, and your domain is properly configured or has at least one Windows Server 2008 R2 domain controller present, you can use managed server accounts (MSA) on your Splunk instance.

The major benefits of using a MSA are:

  • Increased security from the isolation of accounts for services.
  • Administrators no longer need to manage the credentials or administer service principle names (SPNs).
  • Administrators can delegate the administration of these accounts to non-administrators.

Some important things to understand before installing Splunk under a MSA are:

  • The MSA requires the same permissions as a domain account on the machine that runs Splunk.
  • The MSA must be a local administrator on the machine that runs Splunk.
  • You cannot use the same account on different computers, as you would with a domain account.
  • You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. For information and instructions on how to do this, review "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet.

To install Splunk using a managed service account:

1. Ensure that the MSA you plan to use is properly installed and configured.

Important: The MSA must have appropriate rights configured for the Windows resources you need to monitor, and must also be a local Administrator on the machine that runs Splunk.

2. Install Splunk from the command line as the "Local System" user.

Important: You must use the LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed.

3. After installation is complete, use the Windows Explorer or the ICACLS command line utility to grant the MSA "Full Control" permissions to the Splunk installation directory and all its sub-directories.

4. Follow the instructions in the topic "Correct the user selected during Windows installation" in this manual. In this instance, the correct user is the MSA you configured prior to installing Splunk.

Important: You must append a dollar sign ($) to the end of the username when completing Step 4 in order for the MSA to work correctly. For example, if the MSA is SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the appropriate field in the properties dialog for the service. You must do this for both the splunkd and splunkweb services.

5. Make sure that the MSA has the "Log on as a service" right.

6. Restart Splunk. Splunk will run as the MSA configured above, and will have access to all data the MSA has access to.

Security and remote access considerations

In the interests of security, Splunk strongly recommends that you create and place the Splunk account into a domain group, and then place that group into local groups on member servers, when assigning rights for the Splunk account. This helps maintain security integrity and makes it a lot easier to control access in the event of a security breach or site-wide change.

The following is a list of the minimum local permissions required for the two Splunk services. Depending on the sources of data you need to access, the Splunk account may need a significant amount of additional permissions.

Required basic permissions for the splunkd service:

  • Full control over Splunk's installation directory
  • Read access to any flat files you want to index

Required Local Security Policy user rights assignments for the splunkd service:

  • Permission to log on as a service
  • Permission to log on as a batch job
  • Permission to replace a process-level token
  • Permission to act as part of the operating system
  • Permission to bypass traverse checking

Required basic permissions for the splunkweb service:

  • Full control over Splunk's installation directory

Required Local Security Policy user rights assignments for the splunkweb service:

  • Permission to log on as a service

Using Group Policy to assign user rights domain-wide

If you want to assign the policy settings shown above to all member servers in your AD domain, you can define a Group Policy object (GPO) for these specific rights and deploy that GPO across the domain or forest using the Domain Security Policy MMC snap-in (use the Domain Controller Security Policy snap-in for domain controllers). The member servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 2-3 hours), or at the next boot time.

Remember that identical Local Security Policy user rights defined on a member server are overwritten by the rights inherited from a GPO, and you can't change this setting. If you wish to retain previously existing rights defined on your member servers, they'll also need to be assigned within the GPO.

If you accidentally specify the wrong user the first time you install

If you specified the wrong user during the installation procedure, you'll see two popup error dialogs telling you this. Complete the installation and then use these instructions to switch to the correct user. You must not start Splunk before doing this.

Troubleshooting permissions issues

The rights described above are the rights that the splunkd and splunkweb services specifically invoke. Other rights may be required depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Process Monitor to troubleshoot your environment.

You can use the GPRESULT command line tool or the Group Policy Management Console (GPMC) to troubleshoot issues related to GPO application in your enterprise. As a last resort, you can revert to running the splunkd service under a domain administrator or equivalent account.

How to use the Microsoft Installer on the command line

You can install Splunk for Windows using the Microsoft Installer (MSI) on the command line by typing the following:

msiexec.exe /i Splunk.msi

This section lists the available flags for doing this, and provides a few examples of doing this in various configurations.

You can specify

  • which Windows event logs to index
  • which Windows registry hive(s) to monitor
  • which Windows Management Instrumentation (WMI) information to pull
  • the user Splunk runs as (be sure the user you specify has the appropriate permissions to access the content you want Splunk to index)
  • an included application configuration for Splunk to enable (such as the Splunk light forwarder)
  • whether or not Splunk should start up automatically when the installation is completed

Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.

Supported flags

The following is a list of the flags you can use when installing Splunk for Windows via the command line.

Important: The Splunk universal forwarder is a separate executable, with its own installation flags. Review the supported installation flags for the universal forwarder in "Deploy a Windows universal forwarder from the command line" in the Distributed Deployment Manual.

Flag What it's for Default
INSTALLDIR="<directory_path>" Use this flag to specify directory to install. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set. C:\Program Files\Splunk
SPLUNKD_PORT=<port number> Use these flags to specify alternate ports for splunkd and splunkweb to use.

Note: If you specify a port and that port is not available, Splunk will automatically select the next available port.

8089
WEB_PORT=<port number> Use these flags to specify alternate ports for splunkd and splunkweb to use.

Note: If you specify a port and that port is not available, Splunk will automatically select the next available port.

8000


WINEVENTLOG_APP_ENABLE=1/0

WINEVENTLOG_SEC_ENABLE=1/0

WINEVENTLOG_SYS_ENABLE=1/0

WINEVENTLOG_FWD_ENABLE=1/0

WINEVENTLOG_SET_ENABLE=1/0

Use these flags to specify whether or not Splunk should index a particular Windows event log:

Application log

Security log

System log

Forwarder log

Setup log

Note: You can specify multiple flags.

0 (off)


REGISTRYCHECK_U=1/0

REGISTRYCHECK_BASELINE_U=1/0

Use this flag to specify whether or not Splunk should

index events from

capture a baseline snapshot of

the Windows Registry user hive (HKEY_CURRENT_USER).

Note: You can set both of these at the same time.

0 (off)


REGISTRYCHECK_LM=1/0

REGISTRYCHECK_BASELINE_LM=1/0

Use this flag to specify whether or not Splunk should

index events from

capture a baseline snapshot of

the Windows Registry machine hive (HKEY_LOCAL_MACHINE).

Note: You can set both of these at the same time.

0 (off)


WMICHECK_CPUTIME=1/0

WMICHECK_LOCALDISK=1/0

WMICHECK_FREEDISK=1/0

WMICHECK_MEMORY=1/0

Use these flags to specify which popular WMI-based performance metrics Splunk should index:

CPU usage

Local disk usage

Free disk space

Memory statistics

Caution: If you need this instance of Splunk to monitor remote Windows instances over WMI, then you must also specify the LOGON_USERNAME and LOGON_PASSWORD installation flags. Splunk will not collect any remote WMI-based data that it does not have explicit access to. Read "Choose the user Splunk should run as" in the "Install on Windows" topic in this manual for additional information about the required credentials.

Note: There are many more WMI-based metrics that Splunk can index. Review "Monitor WMI Data" in the Getting Data In Manual for specific information.

0 (off)
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Use these flags to provide domain\username and password information for the user that Splunk will run as. The splunkd and splunkweb services are configured with these credentials. For the LOGON_USERNAME flag, you must specify the domain with the username in the format "domain\username."

These flags are required if you want this Splunk installation to monitor any remote WMI-based data. Review "Choose the user Splunk should run as" in the "Install on Windows" topic in this manual for additional information about which credentials to use.

none
SPLUNK_APP="<SplunkApp>" Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder and SplunkForwarder. These specify that this instance of Splunk will function as a light forwarder or heavy forwarder, respectively. Refer to the "About forwarding and receiving" topic in the Distributed Deployment manual for more information.

Important: The universal forwarder is not enabled from full Splunk; it is a separate downloadable executable, with its own installation flags.

Note: If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".

To install Splunk with no applications at all, simply omit this flag.

none
FORWARD_SERVER="<server:port>" Use this flag *only* when you are also using the SPLUNK_APP flag to enable either the Splunk heavy or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.

Important: This flag requires that the SPLUNK_APP flag also be set.

none
DEPLOYMENT_SERVER="<host:port>" Use this flag to specify a deployment server for pushing configuration updates. Enter the deployment server's name (hostname or IP address) and port. none
LAUNCHSPLUNK=0/1 Use this flag to specify whether or not Splunk should start up automatically on system boot.

Important: If you enable the Splunk Forwarder by using the SPLUNK_APP flag, Splunk is configured to start automatically, and this flag is ignored.

1 (on)

Silent installation

To run the installation silently, add /quiet to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.

Examples

The following are some examples of using different flags.

Silently install Splunk to run as the Local System user

msiexec.exe /i Splunk.msi /quiet

Enable SplunkForwarder and specify credentials for the user Splunk will run as

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, enable indexing of the Windows System event log, and run the installer in silent mode

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet

Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.

Launch Splunk in a Web browser

To access Splunk Web after you start Splunk on your machine, you can either:

  • Click the Splunk icon in Start>Programs>Splunk

or

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Now that you've installed Splunk, what comes next?

Avoid IE Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:

  • quickdraw.splunk.com
  • the URL of your Splunk instance

Install or upgrade license

If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

Uninstall Splunk

To uninstall Splunk, use the Add or Remove Programs option in the Control Panel.

You can also use msiexec from the command line.

What's next?

Now that you've installed Splunk, what comes next?

You can also review this topic about considerations for deciding how to monitor Windows data in the Getting Data In manual.

PREVIOUS
Install on Windows
  NEXT
Install on Linux

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters