Splunk® Enterprise

Installation Manual

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Start Splunk Enterprise for the first time

Before you begin using your new Splunk Enterprise upgrade or installation, take a few moments to make sure that the software and your data are secure.

As part of the initial startup process, Splunk Enterprise prompts you to create credentials for the administrator user. You can choose a username or use the default of admin. You can also enter a password. You must complete both steps for Splunk Enterprise to start and operate normally.

See the following topics in the Securing Splunk manual for more information:

If you start Splunk Enterprise for the first time with the --no-prompt CLI argument, then the software does not prompt you to create the administrator credentials. If you do not create the credentials then Splunk Enterprise displays a message on login that there is no user. You must then manually create the credentials and restart Splunk Enterprise before you can log in. See "Create admin credentials manually" later in this topic for instruction on creating the credentials.

On Windows

You can start Splunk Enterprise on Windows using either the command line or the Services control panel. Using the command line offers more options.

From a command prompt or PowerShell window, run the following commands: 

cd <Splunk Enterprise installation directory>\bin
splunk start

(For Windows users: in subsequent examples and information, replace $SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in the default location. You can also add %SPLUNK_HOME% as a system-wide environment variable by using the Advanced tab in the System Properties dialog box.)

On UNIX

  1. Use the Splunk Enterprise command-line interface (CLI):
    cd <Splunk Enterprise installation directory>/bin
./splunk start
  2. Create the Splunk Enterprise admin username. This is the user that you log into Splunk Enterprise with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin. 
    This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username:
  3. Create the password for the user that you just created. You use these credentials to log into Splunk Enterprise. 
    Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
  4. If the default management and Splunk Web ports are already in use (or are otherwise not available), Splunk Enterprise offers to use the next available ports. You can either accept this option or specify a port to use.
  5. You can optionally set the SPLUNK_HOME environment variable to the Splunk Enterprise installation directory. Setting the environment variable lets you refer to the installation directory later without having to remember its exact location: 
    export SPLUNK_HOME=<Splunk Enterprise installation directory>
cd $SPLUNK_HOME/bin
./splunk start
  6. Splunk Enterprise displays the license agreement and prompts you to accept before the startup sequence continues.

On Mac OS X

Start Splunk Enterprise from the Finder

  1. Double-click the Splunk icon on the Desktop to launch the helper application, entitled "Splunk's Little Helper".
  2. Click OK to allow Splunk to initialize and set up the trial license.
  3. (Optional) Click Start and Show Splunk to start Splunk Enterprise and direct your web browser to open a page to Splunk Web.
  4. (Optional) Click Only Start Splunk to start Splunk Enterprise, but not open Splunk Web in a browser.
  5. (Optional) Click Cancel to quit the helper application. This does not affect the Splunk Enterprise instance itself, only the helper application.

After you make your choice, the helper application performs the requested application and terminates. You can run the helper application again to either show Splunk Web or stop Splunk Enterprise.

The helper application can also be used to stop Splunk Enterprise if it is already running.

Start Splunk Enterprise from the command line

  1. On macOS, the default Splunk Enterprise installation directory is /Applications/splunk.
    cd <Splunk Enterprise installation directory>/bin
./splunk start
  2. Create the Splunk Enterprise admin username. This is the user that you log into Splunk Enterprise with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin. 
    This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username:
  3. Create the password for the user that you just created. You use these credentials to log into Splunk Enterprise. 
    Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:

Other start options

Accept the Splunk license automatically when starting for the first time

  1. Add the --accept-license option to the start command: 
    $SPLUNK_HOME/bin/splunk start --accept-license
  2. Create the Splunk Enterprise admin username. This is the user that you log into Splunk Enterprise with, not the user that you use to log into your machine or onto splunk.com. You can press Enter to use the default username of admin. 
    This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username:
  3. Create the password for the user that you just created. You use these credentials to log into Splunk Enterprise. 
    Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
  4. The startup sequence displays: 
    Splunk> 

Checking prerequisites...
	Checking http port [8000]: open
	Checking mgmt port [8089]: open
	Checking appserver port [127.0.0.1:8065]: open
	Checking kvstore port [8191]: open
	Checking configuration...  Done.
	Checking critical directories...	Done
	Checking indexes...
		Validated: _audit _blocksignature _internal _introspection _thefishbucket history main msad msexchange perfmon sf_food_health sos sos_summary_daily summary windows wineventlog winevents
	Done
	Checking filesystem compatibility...  Done
	Checking conf files for problems...
	Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done
                                                           [  OK  ]

Waiting for web server at http://127.0.0.1:8000 to be available... Done


If you get stuck, we're here to help.  
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://localhost:8000

Start Splunk Enterprise without prompting, or by answering "yes" to any prompts

There are two other start options: no-prompt and answer-yes.

  • If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk Enterprise proceeds with startup until it has to ask a question. Then, it displays the question and why it has to quit, and quits. In this scenario, it does not prompt for administrator credentials. You must manually create the credentials and restart before you can log in. See "Create administrator credentials manually" later in this topic for the procedure.
  • If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk Enterprise proceeds with startup and automatically answers "yes" to all yes/no questions that it encounters during startup. It displays each question and answer as it continues.

If you run start Splunk Enterprise with all three options in one line, the following happens:

  • The software accepts the license automatically and does not ask you to accept it.
  • The software answers "yes" to any "yes/no" question.
  • The software quits if it encounters a question that cannot be answered "yes" or "no".

Change where and how Splunk Enterprise starts

To learn how to change system environment variables that control how Splunk Enterprise starts and operates, see "Set or change environment variables" in the Admin manual.

Create administrator credentials manually

If you start Splunk Enterprise for the first time and use the --no-prompt CLI argument, Splunk Enterprise can start without an administrator user, which prevents login. To fix this problem, you must create the credentials and then restart Splunk Enterprise.

  1. Stop Splunk Enterprise: 
    ./splunk stop
  2. With a text editor, create $SPLUNK_HOME/etc/system/local/user-seed.conf, substituting $SPLUNK_HOME for where you installed the software.
  3. Within the file, add the following lines, substituting a password for your new password: 
    [user_info]
USERNAME = admin
PASSWORD = <your new password>
  4. Save the file and close it.
  5. Restart Splunk Enterprise by following the instructions shown earlier in this topic.

For more information on administrator credential creation, including password management for automated installations, see Create a secure administrator password in Securing Splunk Enterprise.

Troubleshoot Splunk Enterprise not starting the first time

If you encounter a situation where Splunk Enterprise does not start, especially after an upgrade, confirm that you have not passed any illegal arguments to the Splunk CLI as part of the start process. If you have passed illegal arguments, rerun the splunk start command without the arguments.

Launch Splunk Web

With a supported web browser, navigate to:

http://<host name or ip address>:8000

Use whatever host and port you chose during installation.

Last modified on 22 October, 2020
Deploy and run Splunk Enterprise inside a Docker container   What happens next?

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters