
Install on Windows via the command line
This topic describes the procedure for installing Splunk Enterprise on Windows from the command line. Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs.
Important: Running the 32-bit version of Splunk for Windows on a 64-bit Windows system is not recommended. If you run the 32-bit installer on a 64-bit system, the installer will warn you about this.
We strongly recommend that you run 64-bit Splunk on 64-bit hardware. The performance is greatly improved over the 32-bit version.
Note: If you want to install the Splunk universal forwarder, see the Forwarding Data manual: "Universal forwarder deployment overview". Unlike Splunk Enterprise heavy and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving", also in the Forwarding Data Manual.
When to install from the command line?
You can manually install Splunk Enterprise on individual machines from a command prompt or PowerShell window. Here are some scenarios where installing from the command line is useful:
- You want to install Splunk, but don't want it to start right away.
- You want to automate installation of Splunk with a script.
- You want to install Splunk on a system that you will clone later.
- You want to use a deployment tool such as Group Policy or System Center Configuration Manager.
Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.
In particular, be aware that Splunk does not support changing the management or HTTP ports during an upgrade.
Before you install
Choose the Windows user Splunk Enterprise should run as
Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific data collection needs. The user you choose has specific ramifications on what you need to do prior to installing the software, and more details can be found there.
Splunk for Windows and anti-virus software
The Splunk Enterprise indexing subsystem requires lots of disk throughput. Anti-virus software - or any software with a device driver that intermediates between Splunk and the operating system - can rob Splunk of processing power, causing slowness and even an unresponsive system.
It's extremely important to configure such software to avoid on-access scanning of Splunk Enterprise installation directories and processes, before starting a Splunk installation.
Install Splunk Enterprise from the command line
You can install Splunk Enterprise from the command line by invoking msiexec.exe
.
For 32-bit platforms, use splunk-<...>-x86-release.msi
:
msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]
For 64-bit platforms, use splunku-<...>-x64-release.msi
:
msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]
The value of <...>
varies according to the particular release; for example, splunk-5.0-125454-x64-release.msi
.
Command line flags allow you to configure Splunk Enterprise at installation time. Using command line flags, you can specify a number of settings, including:
- Which Windows event logs to index.
- Which Windows Registry hive(s) to monitor.
- Which Windows Management Instrumentation (WMI) data to collect.
- The user Splunk Enterprise runs as (Important: Read "Choose the Windows user Splunk should run as" for information on what type of user you should install your Splunk instance with.)
- An included application configuration for Splunk to enable (such as the Splunk light forwarder.)
- Whether or not Splunk should start up automatically when the installation is completed.
Note: The first time you access Splunk Web after installation, log in with the default username admin
and password changeme
.
Supported flags
The following is a list of the flags you can use when installing Splunk for Windows via the command line.
Important: The Splunk universal forwarder is a separate executable, with its own installation flags. Review the supported installation flags for the universal forwarder in "Deploy a Windows universal forwarder from the command line" in the Forwarding Data manual.
Flag | What it's for | Default |
---|---|---|
AGREETOLICENSE=Yes|No
|
Use this flag to agree to the EULA. This flag must be set to Yes for a silent installation.
|
No
|
INSTALLDIR="<directory_path>"
|
Use this flag to specify directory to install. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set.
|
C:\Program Files\Splunk
|
SPLUNKD_PORT=<port number>
|
Use these flags to specify alternate ports for splunkd and splunkweb to use.
Note: If you specify a port and that port is not available, Splunk will automatically select the next available port. |
8089
|
WEB_PORT=<port number>
|
Use these flags to specify alternate ports for splunkd and splunkweb to use.
Note: If you specify a port and that port is not available, Splunk will automatically select the next available port. |
8000
|
|
Use these flags to specify whether or not Splunk should index a particular Windows event log:
Application log Security log System log Forwarder log Setup log Note: You can specify multiple flags. |
0 (off)
|
|
Use this flag to specify whether or not Splunk should
index events from capture a baseline snapshot of the Windows Registry user hive ( Note: You can set both of these at the same time. |
0 (off)
|
|
Use this flag to specify whether or not Splunk should
index events from capture a baseline snapshot of the Windows Registry machine hive ( Note: You can set both of these at the same time. |
0 (off)
|
|
Use these flags to specify which popular WMI-based performance metrics Splunk should index:
CPU usage Local disk usage Free disk space Memory statistics Caution: If you need this instance of Splunk to monitor remote Windows data, then you must also specify the There are many more WMI-based metrics that Splunk can index. Review "Monitor WMI Data" in the Getting Data In Manual for specific information. |
0 (off)
|
LOGON_USERNAME="<domain\username>"
|
Use these flags to provide domain\username and password information for the user that Splunk will run as. The splunkd and splunkweb services are configured with these credentials. For the LOGON_USERNAME flag, you must specify the domain with the username in the format "domain\username ."
These flags are required if you want this Splunk Enterprise installation to monitor any remote data. Review "Choose the Windows user Splunk should run as" in this manual for additional information about which credentials to use. |
none |
SPLUNK_APP="<SplunkApp>"
|
Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder and SplunkForwarder . These specify that this instance of Splunk will function as a light forwarder or heavy forwarder, respectively. Refer to the "About forwarding and receiving" topic in the Forwarding Data manual for more information.
Important: The full version of Splunk does not enable the universal forwarder. The universal forwarder is a separate downloadable executable, with its own installation flags. Note: If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>". To install Splunk Enterprise with no applications at all, simply omit this flag. |
none |
FORWARD_SERVER="<server:port>"
|
Use this flag *only* when you are also using the SPLUNK_APP flag to enable either the Splunk heavy or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data.
Important: This flag requires that the |
none |
DEPLOYMENT_SERVER="<host:port>"
|
Use this flag to specify a deployment server for pushing configuration updates. Enter the deployment server's name (hostname or IP address) and port. | none |
LAUNCHSPLUNK=0/1
|
Use this flag to specify whether or not Splunk should start up automatically on system boot.
Important: If you enable the Splunk Forwarder by using the |
1 (on)
|
INSTALL_SHORTCUT=0/1
|
Use this flag to specify whether or not the installer should create a shortcut to Splunk on the desktop and in the Start Menu. | 1 (on)
|
Silent installation
To run the installation silently, add /quiet
to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.
Examples
The following are some examples of using different flags.
Silently install Splunk Enterprise to run as the Local System user
msiexec.exe /i Splunk.msi /quiet
Enable SplunkForwarder and specify credentials for the user Splunk Enterprise will run as
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123"
Enable SplunkForwarder, enable indexing of the Windows System event log, and run the installer in silent mode
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet
Where "<server:port>"
are the server and port of the Splunk server to which this machine should send data.
Launch Splunk in a Web browser
To access Splunk Web after you start Splunk on your machine, you can either:
- Click the Splunk icon in Start>Programs>Splunk
or
- Open a Web browser and navigate to
http://localhost:8000
.
Log in using the default credentials: username: admin
and password: changeme
. Be sure to change the admin password as soon as possible and make a note of what you changed it to.
Avoid IE Enhanced Security pop-ups
To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:
- quickdraw.splunk.com
- the URL of your Splunk instance
Install or upgrade license
If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.
What's next?
Now that you've installed Splunk Enterprise, what comes next?
You can also review this topic about considerations for deciding how to monitor Windows data in the Getting Data In manual.
PREVIOUS Install on Windows |
NEXT Correct the user selected during Windows installation |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15
Feedback submitted, thanks!