Before you download and install the Splunk software, read this topic to learn which computing environments Splunk supports. If you have ideas or requests for new features to add to future releases, get in touch with Splunk Support. You can also follow our product road map.
For a discussion of hardware planning for deployment, review "Hardware capacity planning for your Splunk deployment" in this manual.
Splunk supports installation on the following platforms:
Unix operating systems
|Operating system||Architecture||Enterprise / Trial||Universal Forwarder|
|Solaris 8*, 9, 10, and 11*||x86 (64-bit)||x*||x*|
|Linux, 2.6+||x86 (64-bit)||x||x|
|Linux, 2.4+ with Native POSIX Thread Library||x86 (64-bit)|
|FreeBSD 7** and 8||x86 (64-bit)||x||x|
|Mac OS X 10.5, 10.6, and 10.7||all (Universal)||x||x|
|AIX 5.3, 6.1, and 7.1||PowerPC||x||x|
|HP/UX† 11i v2 and 11i v3||Itanium||x||x|
* Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does not support 32-bit Splunk installs.
** Be sure to read important notes on FreeBSD 7 below.
† You must use gnu
tar to unpack the HP/UX installation archive.
Windows operating systems
Be sure to read important notes about all Windows operating systems below.
|Operating system||Architecture||Enterprise / Trial||Universal Forwarder|
|Windows Server 2003 and Server 2003 R2||x86 (64-bit)||x||x|
|Windows Server 2008 and Server 2008 R2||x86 (64-bit)||x||x|
|Windows Server 2012||x86 (64-bit)||x¶||x|
|Windows XP, Windows Vista, and Windows 7||x86 (64-bit)||x||x|
|Windows 8||x86 (64-bit)||x¶||x|
*** This version of Splunk is supported but is not recommended on this platform.
¶ Internet Explorer 10 is not a supported browser for Splunk. On Windows 8 and Windows Server 2012, you must use one of the supported browsers below, such as Google Chrome or Mozilla Firefox. Additional information is available in the Release Notes.
Operating system notes and additional information
Certain parts of Splunk on Windows require elevated user permissions to function properly. For additional information about what is required, read the following topics:
- "Splunk architecture and processes" in this manual.
- "Choose the user Splunk should run as" in this manual.
- "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual.
To run Splunk 5.x on 32-bit FreeBSD 7.x, install the
compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x.
For more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.
Deprecated operating systems and features
As we continue to version the Splunk product, we gradually deprecate support of older operating systems. Be sure to read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.
Creating and editing configuration files on non-UTF-8 OSes
Splunk expects configuration files to be in ASCII/UTF-8 format. If you edit or create a configuration file on an OS that is non-UTF-8, you must ensure that the editor you are using is configured to save in ASCII/UTF-8.
IPv6 platform support
All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:
- HP/UX on PA-RISC architecture
- Solaris 9
Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.
- Firefox 3.6, 10.x, and latest
- Internet Explorer 6, 7, 8, and 9
- Safari (latest)
- Chrome (latest)
You should also make sure you have the latest version of Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, see "About JSChart" in the Splunk Data Visualizations Manual.
Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.
For a discussion of hardware planning for production deployment, see "Hardware capacity planning for your Splunk deployment" in this manual.
Splunk and virtual machines
If you run Splunk in a virtual machine (VM) on any platform, performance will degrade. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance.
For detailed performance estimates of Splunk on virtual hardware, read "Reference hardware" in this manual.
Recommended and minimum hardware capacity
|Platform||Recommended hardware capacity/configuration||Minimum supported hardware capacity|
|Non-Windows platforms||2x quad-core Intel Xeon, 3 GHz, 8 GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed.||1x1.4 GHz CPU, 1 GB RAM|
|Windows platforms||2x quad-core Intel Xeon, 3 GHz, 8 GB RAM, RAID 0 or 1+0, with a 64 bit OS installed.||Pentium 4 or equivalent at 2 GHz, 2 GB RAM|
Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.
- All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
- The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher.
Important: For all installations, including forwarders, you must have a minimum of 2 GB of hard disk space available in addition to the space required for any indexes. Refer to "Estimate your storage requirements" in this manual for additional information.
Hardware requirements for universal and light forwarders
|Recommended||Dual-core 1.5 GHz+ processor, 1 GB+ RAM|
|Minimum||1.0 Ghz processor, 512 MB RAM|
Supported file systems
|Linux||ext2/3/4, reiser3, XFS, NFS 3/4|
|Solaris||UFS, ZFS, VXFS, NFS 3/4|
|FreeBSD||FFS, UFS, NFS 3/4, ZFS|
|Mac OS X||HFS, NFS 3/4|
|AIX||JFS, JFS2, NFS 3/4|
|HP-UX||VXFS, NFS 3/4|
Note: If you run Splunk on a filesystem that is not listed above, Splunk might run a start-up utility named
locktest to test the viability of a filesystem for running Splunk.
Locktest is a program that tests the start up process. If
locktest runs and fails, then the filesystem is not suitable for running Splunk.
Considerations regarding File Descriptors (FDs)
Splunk allocates file descriptors on *nix systems for actively monitored files, forwarder connections, deployment clients, users running searches, and so on.
Usually, the default file descriptor limit (
ulimit) on a *nix-based OS is 1024. Your Splunk administrator should determine the correct level, but it should be at least 8192. Even if Splunk allocates just a single file descriptor for each of the activities above, it’s easy to see how a few hundred files being monitored, a few hundred forwarders sending data, a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting.
The more tasks your Splunk instance is doing, the more FDs it will need, so you should increase the ulimit value if you start to see your instance run into problems with low FD limits.
For more information, read about ulimit in the Troubleshooting Manual.
This consideration is not applicable to Windows-based systems.
Considerations regarding Network File System (NFS)
NFS is often a poor choice for Splunk indexing activity, owing to performance, resilience, and semantics.
In environments with very high-bandwidth, very low-latency, reliable links, it can be an appropriate choice. Typically, this is implemented via a SAN (Storage Area Network) accessed via the NFS protocol.
Splunk does not support "soft" NFS mounts (mounts which cause a program attempting a file operation on the mount to report an error in case of a failure). Only "hard" NFS mounts are reliable with Splunk.
When mounting NFS volumes, do not disable attribute caching. If you have other applications which require disabling or reducing attribute caching, then you must provide Splunk a separate mount with attribute caching enabled.
If you use NFS in a distributed Splunk environment, do not use NFS mounts over a wide area network (WAN). Doing so will cause performance issues. Read "Distributed Splunk overview" in the Distributed Deployment Manual for additional information.
Note: On FreeBSD, Splunk does not support
Considerations regarding solid state drives
Solid state drives (SSDs) gain most of their performance through read operations. Splunk relies on fast disk write performance in order to index data with low latency. SSDs do not provide a significant write-speed advantage in Splunk over fast conventional hard drives.
SSDs deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.
Supported server hardware architectures
Splunk supports installation on both 32- and 64-bit architectures for some platforms. See the download page page for details.
Components of a Splunk deployment
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1