Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install on Linux

You can install Splunk Enterprise on Linux using RPM or DEB packages or a tar file.

Note: To install the Splunk universal forwarder, see "Universal forwarder deployment overview" in the Forwarding Data manual. Unlike Splunk heavy and light forwarders, which are full Splunk Enterprise instances with some features changed or disabled, the universal forwarder is a separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving."

Upgrading?

If you are upgrading, see "How to upgrade Splunk" for instructions and migration considerations before you upgrade.

Tar file installation

To install Splunk Enterprise on a Linux system, expand the tar file into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

Note: When you install Splunk Enterprise with a tar file:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, either cd to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your machine's file system.
  • Splunk Enterprise does not create the splunk user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install.
  • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

RedHat RPM install

Ensure that the splunk build rpm package you want is available locally on the target server. Verify that the file is readable and executable by the the Splunk user. If needed change access:

 
chmod 744 splunk_package_name.rpm

To install the Splunk RPM in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

Note: Installing with rpm in a non-default directory is not recommended, as RPM offers no safety net at time of upgrade, if --prefix does not agree then the upgrade will go awry.

To upgrade an existing Splunk Enterprise installation that resides in /opt/splunk using the RPM:

rpm -U splunk_package_name.rpm

Note: Upgrading rpms is upgrading the rpm package, not upgrading Splunk Enterprise. rpm upgrades can be done only when using the rpm in the past. There is no smooth transition from tar installs to rpm installs. This is not a Splunk Enterprise issue, but a fundamental packaging issue.

To upgrade an existing Splunk Enterprise installation that was done in a different directory, use the --prefix flag:

rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm will install in the default location of /opt/splunk.

For example, to upgrade to the existing directory of $SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

To Replace an existing Splunk Enterprise installation

rpm -i --replacepkgs --prefix=/splunkdirectory/ splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to your kickstart file:

./splunk start --accept-license
./splunk enable boot-start 

Note: The second line is optional for the kickstart file.

Enable Splunk Enterprise to start the system at boot by adding it to /etc/init.d/ Run this command as root or sudo and specify the user that Splunk Enterprise should run as.

./splunk enable boot-start -user splunkuser

Debian DEB install

You can install the Splunk DEB package only in the default location, /opt/splunk. This location must be a regular directory, and not a symbolic link. If you need to install Splunk somewhere else, or if you use a symbolic link for /opt/splunk, use a tar file to install the software.

To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

What gets installed

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Default shell

Splunk Enterprise assumes you are using the bash shell.

Using the dash shell can result in zombie processes.

Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk Enterprise as a non-root user.

To start Splunk Enterprise from the command-line interface, run the following command from $SPLUNK_HOME/bin directory, where $SPLUNK_HOME is the directory into which you installed Splunk Enterprise:

 ./splunk start

By convention, this document uses:

  • $SPLUNK_HOME to identify the path to your Splunk Enterprise installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command-line interface.

Startup options

The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

Launch Splunk Web and log in

After you start Splunk Enterprise and accept the license agreement, you can launch Splunk Web.

1. In a browser window, access Splunk Web at http://<hostname>:port.

  • hostname is the host machine.
  • port is the port you specified during the installation (the default port is 8000).

Note Navigate to HTTP the first time you access Splunk Enterprise.

2. Splunk Web prompts you for login information before it launches. The default is user name admin and password changeme. If you switch to Splunk Free, you bypass this logon page in future sessions.

What's next?

Now that you've installed Splunk Enterprise, what comes next?

Uninstall Splunk Enterprise

To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

PREVIOUS
Change the user selected during Windows installation
  NEXT
Install on Solaris

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Comments

Hi Sfolk,

What is the file system you are running on this instance? Usually that error appears when Splunk can't manipulate file locking on the system. Make sure that the file system that you use is listed in the "Supported file systems" section of the System Requirements page in the Installation manual. If it is, and you're still experiencing problems, then you should open a support case. Thanks.

Malmoore
April 10, 2015

Bump

How do you fix the following installation error "homepath = '/home/isso/Downloads/splunk/var/lib/splunk/audit/db' of index =_audit on unusable file system. Validating databases (splunkd)failed with code '1'.

Sfolk
March 31, 2015

Hi MWisniewski9,

This command is for the Splunk Enterprise package, which is called 'splunk.' The package for the forwarder is indeed called 'splunkforwarder'.

Malmoore
March 6, 2015

ubuntu users installing the universal forwarder. dpkg --status splunk turned up nothing for me. Try dpkg --list | grep splunk if you are looking to find the splunk forwarder. and use the command dpkg --status splunkforwarder.

Mwisniewski9
March 6, 2015

Hey, dears, What is it "libmongoc-1.0.so.0 => not found & libbson-1.0.so.0 => not found .. etc..." ??? <br /><br />How must Am install your product on Debian, you didn't mention anywhere list of dependencies. Is it too hard to push into deb directory called doc/ with doc/debian-installation-readme.txt<br /><br />with<br /><br />apt-get install -y package1.deb package2.deb ... packageX.deb<br />?<br />Like everywhere else this is doing

Ukzvchaw
December 23, 2014

/opt/splunk/bin# ldd splunkd<br /> linux-vdso.so.1 => (0x00007fff511fe000)<br /> libjemalloc.so.1 => /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 (0x00007f8ebac65000)<br /> libmongoc-1.0.so.0 => not found<br /> libbson-1.0.so.0 => not found<br /> librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f8ebaa5c000)<br /> libpcre.so.1 => not found<br /> libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f8eba6fb000)<br /> libxslt.so.1 => /usr/lib/x86_64-linux-gnu/libxslt.so.1 (0x00007f8eba4bd000)<br /> libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f8eba25d000)<br /> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f8eb9e64000)<br /> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8eb9c60000)<br /> libarchive.so.13 => not found<br /> libbz2.so.1 => /lib/x86_64-linux-gnu/libbz2.so.1 (0x00007f8eb9a4f000)<br /> libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f8eb97a0000)

Ukzvchaw
December 23, 2014

How do you fix the following installation error "homepath = '/home/isso/Downloads/splunk/var/lib/splunk/audit/db' of index =_audit on unusable file system. Validating databases (splunkd)failed with code '1'.

ISSOCheck
September 11, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters