Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

System requirements

Before you download and install the Splunk software, read this topic to learn which computing environments Splunk supports. If you have ideas or requests for new features to add to future releases, get in touch with Splunk Support. You can also follow our product road map.

Refer to the download page for the latest version to download. Check the release notes for details on known and resolved issues.

For a discussion of hardware planning for deployment, review "Hardware capacity planning for your Splunk deployment" in this manual.

Supported OSes

Splunk supports installation on the following platforms:

Unix operating systems

Operating system Architecture Enterprise / Trial Universal Forwarder
Solaris 8*, 9, 10, and 11* x86 (64-bit) x* x*
SPARC x x
x86 (32-bit) x* x*
Linux, 2.6+ x86 (64-bit) x x
x86 (32-bit) x x
Linux, 2.4+ with Native POSIX Thread Library x86 (64-bit)
x86 (32-bit) x x
FreeBSD 7** and 8 x86 (64-bit) x x
x86 (32-bit) x x
Mac OS X 10.5, 10.6, and 10.7 all (Universal) x x
AIX 5.3, 6.1, and 7.1 PowerPC x x
HP/UX† 11i v2 and 11i v3 Itanium x x
PA-RISC x x

* Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does not support 32-bit Splunk installs.
** Be sure to read important notes on FreeBSD 7 below.
† You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

Be sure to read important notes about all Windows operating systems below.

Operating system Architecture Enterprise / Trial Universal Forwarder
Windows Server 2003 and Server 2003 R2 x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows Server 2008 and Server 2008 R2 x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows Server 2012 x86 (64-bit) x
Windows XP, Windows Vista, and Windows 7 x86 (64-bit) x x
x86 (32-bit) x*** x***
Windows 8 x86 (64-bit) x
x86 (32-bit) x

*** This version of Splunk is supported but is not recommended on this platform.
¶ Internet Explorer 10 is not a supported browser for Splunk. On Windows 8 and Windows Server 2012, you must use one of the supported browsers below, such as Google Chrome or Mozilla Firefox. Additional information is available in the Release Notes.

Operating system notes and additional information

Windows

Certain parts of Splunk on Windows require elevated user permissions to function properly. For additional information about what is required, read the following topics:

FreeBSD 7.x

To run Splunk 5.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x. For more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.

Deprecated operating systems and features

As we continue to version the Splunk product, we gradually deprecate support of older operating systems. Be sure to read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.

Creating and editing configuration files on non-UTF-8 OSes

Splunk expects configuration files to be in ASCII/UTF-8 format. If you edit or create a configuration file on an OS that is non-UTF-8, you must ensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:

  • AIX
  • HP/UX on PA-RISC architecture
  • Solaris 9

Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.

Supported browsers

  • Firefox 3.6, 10.x, and latest
  • Internet Explorer 6, 7, 8, and 9
  • Safari (latest)
  • Chrome (latest)

You should also make sure you have the latest version of Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, see "About JSChart" in the Splunk Data Visualizations Manual.

Recommended hardware

Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.

For a discussion of hardware planning for production deployment, see "Hardware capacity planning for your Splunk deployment" in this manual.

Splunk and virtual machines

If you run Splunk in a virtual machine (VM) on any platform, performance will degrade. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance.

For detailed performance estimates of Splunk on virtual hardware, read "Reference hardware" in this manual.

Recommended and minimum hardware capacity

Platform Recommended hardware capacity/configuration Minimum supported hardware capacity
Non-Windows platforms 2x quad-core Intel Xeon, 3 GHz, 8 GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed. 1x1.4 GHz CPU, 1 GB RAM
Windows platforms 2x quad-core Intel Xeon, 3 GHz, 8 GB RAM, RAID 0 or 1+0, with a 64 bit OS installed. Pentium 4 or equivalent at 2 GHz, 2 GB RAM

Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.

  • All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
  • The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher.

Important: For all installations, including forwarders, you must have a minimum of 2 GB of hard disk space available in addition to the space required for any indexes. Refer to "Estimate your storage requirements" in this manual for additional information.

Hardware requirements for universal and light forwarders

Recommended Dual-core 1.5 GHz+ processor, 1 GB+ RAM
Minimum 1.0 Ghz processor, 512 MB RAM

Supported file systems

Platform File systems
Linux ext2/3/4, reiser3, XFS, NFS 3/4
Solaris UFS, ZFS, VXFS, NFS 3/4
FreeBSD FFS, UFS, NFS 3/4, ZFS
Mac OS X HFS, NFS 3/4
AIX JFS, JFS2, NFS 3/4
HP-UX VXFS, NFS 3/4
Windows NTFS, FAT32

Note: If you run Splunk on a filesystem that is not listed above, Splunk might run a start-up utility named locktest to test the viability of a filesystem for running Splunk. Locktest is a program that tests the start up process. If locktest runs and fails, then the filesystem is not suitable for running Splunk.

Considerations regarding File Descriptors (FDs)

Splunk allocates file descriptors on *nix systems for actively monitored files, forwarder connections, deployment clients, users running searches, and so on.

Usually, the default file descriptor limit (ulimit) on a *nix-based OS is 1024. Your Splunk administrator should determine the correct level, but it should be at least 8192. Even if Splunk allocates just a single file descriptor for each of the activities above, it’s easy to see how a few hundred files being monitored, a few hundred forwarders sending data, a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting.

The more tasks your Splunk instance is doing, the more FDs it will need, so you should increase the ulimit value if you start to see your instance run into problems with low FD limits.

For more information, read about ulimit in the Troubleshooting Manual.

This consideration is not applicable to Windows-based systems.

Considerations regarding Network File System (NFS)

NFS is often a poor choice for Splunk indexing activity, owing to performance, resilience, and semantics.

In environments with very high-bandwidth, very low-latency, reliable links, it can be an appropriate choice. Typically, this is implemented via a SAN (Storage Area Network) accessed via the NFS protocol.

Splunk does not support "soft" NFS mounts (mounts which cause a program attempting a file operation on the mount to report an error in case of a failure). Only "hard" NFS mounts are reliable with Splunk.

When mounting NFS volumes, do not disable attribute caching. If you have other applications which require disabling or reducing attribute caching, then you must provide Splunk a separate mount with attribute caching enabled.

If you use NFS in a distributed Splunk environment, do not use NFS mounts over a wide area network (WAN). Doing so will cause performance issues. Read "Distributed Splunk overview" in the Distributed Deployment Manual for additional information.

Note: On FreeBSD, Splunk does not support nullfs mounts.

Considerations regarding solid state drives

Solid state drives (SSDs) gain most of their performance through read operations. Splunk relies on fast disk write performance in order to index data with low latency. SSDs do not provide a significant write-speed advantage in Splunk over fast conventional hard drives.

SSDs deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.

Supported server hardware architectures

Splunk supports installation on both 32- and 64-bit architectures for some platforms. See the download page page for details.

PREVIOUS
Installation overview
  NEXT
Components of a Splunk deployment

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters