Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

System requirements

Before you download and install the Splunk software, read this topic carefully to learn about which computing environments Splunk supports.

Refer to the download page for the latest version to download. Check the release notes for details on known and resolved issues.

For a discussion of hardware planning for deployment, review "Hardware capacity planning for your Splunk Enterprise deployment" in this manual.

If you have ideas or requests for new features to add to future releases, get in touch with Splunk Support. You can also review our product road map.

Supported server hardware architectures

Splunk offers support for 32 and 64-bit architectures on some platforms. See the download page for details.

Supported OSes

Important: Read the following tables carefully when researching the system requirements. Splunk availability has changed significantly from previous versions.

The tables below list the computing platforms that Splunk is available for. The first table lists availability for *nix operating systems and the second lists availability for Windows operating systems.

To find out whether or not Splunk Enterprise is available for your platform:

1. Find the operating system you wish to install Splunk Enterprise on in the left column.

2. Then, read across to find the appropriate computing architecture in the center column that best matches your environment.

The tables show availability for two different types of Splunk, as shown in the two columns on the right: Splunk Enterprise/Trial, and Splunk Universal Forwarder. A '✔' in the box that intersects your computing platform and desired Splunk type means that Splunk is available for that platform. An empty box means that Splunk is not available for that platform.

Some boxes have characters instead of a '✔'. Refer to the bottom of the tables to find out what the additional characters represent.

Unix operating systems

Operating system Architecture Enterprise / Trial Universal Forwarder
Solaris 8 x86 (64-bit)
x86 (32-bit)
Solaris 9 x86 (64-bit)
x86 (32-bit)
Solaris 10 and 11* x86 (64-bit)
x86 (32-bit) * *
Linux, 2.4+ with Native POSIX Thread Library x86 (64-bit)
x86 (32-bit)
Linux, 2.6+ x86 (64-bit)
x86 (32-bit)
Linux, 3.0+ x86 (64-bit)
x86 (32-bit)
PowerLinux, 2.6+ PowerPC
zLinux, 2.6+ s390x
FreeBSD 7** and 8 x86 (64-bit)
x86 (32-bit)
FreeBSD 9 x86 (64-bit)
Mac OS X 10.7, 10.8, and 10.9 Intel
AIX 5.3 PowerPC
AIX 6.1 and 7.1 PowerPC
HP/UX† 11i v2 and 11i v3 Itanium

* Splunk is available and supported on Solaris 10. Solaris 11 does not support 32-bit Splunk installs.
** Read important notes on FreeBSD 7 compatibility below.
† You must use gnu tar to unpack the HP/UX installation archive.

Windows operating systems

The table below lists the Windows computing platforms that Splunk is available for.

Operating system Architecture Enterprise / Trial Universal Forwarder
Windows Server 2003 and Server 2003 R2 x86 (64-bit)
x86 (32-bit) *** ***
Windows Server 2008 and Server 2008 R2© x86 (64-bit)
x86 (32-bit) *** ***
Windows Server 2012 and Server 2012 R2 x86 (64-bit)
Windows XP x86 (64-bit)
x86 (32-bit) ***
Windows Vista x86 (64-bit)
x86 (32-bit) ***
Windows 7 x86 (64-bit)
x86 (32-bit) *** ***
Windows 8 x86 (64-bit)
x86 (32-bit)
Windows 8.1 x86 (64-bit)
x86 (32-bit)

© There is no 32-bit version of Windows Server 2008 R2.
*** This version of Splunk is available and supported but is not recommended on this platform and architecture.
¶ Splunk Enterprise is not available on this platform. However, Splunk Trial and Splunk Universal Forwarder are available.

Operating system notes and additional information


Certain parts of Splunk on Windows require elevated user permissions to function properly. For additional information about what is required, read the following topics:

FreeBSD 7.x

To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x. For more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki.

Deprecated operating systems and features

As we continue to version the Splunk product, we gradually deprecate support of older operating systems. Read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely.

Creating and editing configuration files on non-UTF-8 OSes

Splunk expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then you must ensure that the editor you are using is configured to save in ASCII/UTF-8.

IPv6 platform support

All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:

  • AIX
  • HP/UX on PA-RISC architecture
  • Solaris 9

Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.

Supported browsers

Splunk Enterprise supports the following browsers:

  • Firefox ESR (24.2) and latest
  • Internet Explorer 9, 10, and 11
  • Safari (latest)
  • Chrome (latest)

You should also make sure you have the latest version of Adobe Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, read "About JSChart" in the Splunk Data Visualizations Manual.

Recommended hardware

Splunk Enterprise is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.

For a discussion of hardware planning for production deployment, see "Hardware capacity planning for your Splunk deployment" in this manual.

Splunk and virtual machines

If you run Splunk Enterprise in a virtual machine (VM) on any platform, performance degrades. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk Enterprise needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing and search performance.

Recommended and minimum hardware capacity

Platform Recommended hardware capacity/configuration Minimum supported hardware capacity
Non-Windows platforms 2x six-core, 2+ GHz CPU, 12 GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed. 1x1.4 GHz CPU, 1 GB RAM
Windows platforms 2x six-core, 2+ GHz CPU, 12 GB RAM, RAID 0 or 1+0, with a 64 bit OS installed. Intel Nehalem CPU or equivalent at 2 GHz, 2 GB RAM

Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.

  • All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
  • The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher.

Important: For all installations, including forwarders, you must have a minimum of 5 GB of hard disk space available in addition to the space required for any indexes. Refer to "Estimate your storage requirements" in this manual for additional information.

Hardware requirements for universal and light forwarders

Recommended Dual-core 1.5 GHz+ processor, 1 GB+ RAM
Minimum 1.0 Ghz processor, 512 MB RAM

Supported file systems

Platform File systems
Linux ext2/3/4, reiser3, XFS, NFS 3/4
Solaris UFS, ZFS, VXFS, NFS 3/4
Mac OS X HFS, NFS 3/4
Windows NTFS, FAT32

Note: If you run Splunk Enterprise on a filesystem that is not listed above, Splunk might run a startup utility named locktest to test the viability of a filesystem for running Splunk. Locktest is a program that tests the start up process. If locktest runs and fails, then the filesystem is not suitable for running Splunk.

Considerations regarding Network File System (NFS)

When you use Network File System (NFS) as a storage medium for Splunk indexing, consider all of the ramifications of file level storage.

Use block level storage rather than file level storage for indexing your data.

In environments with reliable, high-bandwidth, low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who choose this strategy should work with their hardware vendor to confirm that the storage platform they choose operates to the specification in terms of both performance and data integrity.

If you use NFS, be aware of the following issues:

  • Do not use NFS to host hot or warm index buckets as a failure in NFS can cause data loss. NFS works best with cold or frozen buckets.
  • Do not use NFS to share cold or frozen index buckets amongst an indexer cluster, as this potentially creates a single point of failure.
  • Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.
  • Splunk Enterprise does not support "soft" NFS mounts. These are mounts that cause a program attempting a file operation on the mount to report an error and continue in case of a failure.
  • Only "hard" NFS mounts (mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk Enterprise.
  • Do not disable attribute caching. If you have other applications that require disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate mount with attribute caching enabled.

Considerations regarding file descriptor limits (FDs) on *nix systems

Splunk Enterprise allocates system-wide resources like file descriptors and user processes on *nix systems for monitoring, forwarding, deploying, searching, and other things. The ulimit command controls access to these resources which must be set to acceptable levels for Splunk Enterprise to function properly on *nix systems.

The more tasks your Splunk Enterprise instance performs, the more resources it needs. You should increase the ulimit values if you start to see your instance run into problems with low resource limits. See I get errors about ulimit in splunkd.log in the Troubleshooting Manual.

The following table shows the system-wide resources that the software uses. It provides the minimum recommended settings for these resources for instances that are not forwarders (such as indexers, search heads, cluster masters, license masters, deployment servers, and Monitoring Consoles (MC)).

System-wide Resource ulimit invocation Recommended min. value
Open files ulimit -n 8192
User processes ulimit -u 1024
Data segment size ulimit -d 1073741824

On hosts that run FreeBSD, you might need to increase the kernel parameters for default and maximum process stack size. The following table shows the parameters that must be present in /boot/loader.conf on the host.

System-wide Resource Kernel parameter Recommended value
Default process data size (soft limit) dfldsiz 2147483648
Maximum process data size (hard limit) maxdsiz 2147483648

This consideration is not applicable to Windows-based systems.

Considerations regarding solid state drives

Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.

Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)

Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares supported by Windows hosts only:

When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, ensure that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.

Do not attempt to index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.

Other considerations

Considerations regarding environments that use the transparent huge pages memory management scheme

If you run a Unix environment that makes use of transparent huge memory pages, see "Transparent huge memory pages and Splunk performance" before attempting to install Splunk Enterprise.

No such scheme exists on Windows operating systems.

Last modified on 21 October, 2016
Installation overview
Components of a Splunk Enterprise deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters