Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install on Linux

You can install Splunk on Linux using RPM or DEB packages, or a tar file.

Note: If you want to install the Splunk universal forwarder, see the Distributed Deployment manual: "Universal forwarder deployment overview". Unlike Splunk heavy and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving".

Upgrading?

If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

RedHat RPM install

To install the Splunk RPM in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

To upgrade an existing Splunk installation that resides in /opt/splunk using the RPM:

rpm -U splunk_package_name.rpm

To upgrade an existing Splunk installation that was done in a different directory, use the --prefix flag:

rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm will install in the default location of /opt/splunk.

For example, to upgrade to the existing directory of $SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to your kickstart file:

./splunk start --accept-license
./splunk enable boot-start 

Note: The second line is optional for the kickstart file.

Debian DEB install

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location, /opt/splunk.

Tar file install

To install Splunk on a Linux system, expand the tarball into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

Note: When you install Splunk with a tarball:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tarball in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem.
  • Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing.
  • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk

Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information.

To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

 ./splunk start

By convention, this document uses:

  • $SPLUNK_HOME to identify the path to your Splunk installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

Launch Splunk Web and log in

After you start Splunk and accept the license agreement,

1. In a browser window, access Splunk Web at http://<hostname>:port.

  • hostname is the host machine.
  • port is the port you specified during the installation (the default port is 8000).

2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?

Now that you've installed Splunk, what comes next?

RedHat Linux

To uninstall from RedHat Linux

rpm -e splunk_product_name

Debian Linux

To uninstall from Debian Linux:

dpkg -r splunk

To purge (delete everything, including configuration files):

dpkg -P splunk
PREVIOUS
Correct the user selected during Windows installation
  NEXT
Install on Solaris

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

With the boot-start command, you can specify the user you want splunk to run as. See http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/ConfigureSplunktostartatboottime

Ykherian, Splunker
July 25, 2013

Please also mention some notes on installation on amazon ec2 instances. Which ports should be opened in security groups. I am struggling to access splunk deployed on ec2 instance. I have opened all necessary ports, checked firewall, checked all splunk daemons. All looks good.

Sunnyjaisinghani
November 11, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters