Before you download and install Splunk Enterprise, read this topic to learn about the computing environments that Splunk supports. See the download page for the latest version to download. See the release notes for details on known and resolved issues.
For a discussion of hardware planning for deployment, see the Capacity Planning Manual.
Supported server hardware architectures
Splunk offers support for 32- and 64-bit architectures on some platforms. See the download page for details.
Supported Operating Systems
The following tables list the available computing platforms for Splunk Enterprise. The first table lists availability for *nix operating systems and the second lists availability for Windows operating systems. Use these tables to determine whether or not Splunk Enterprise is available for your platform.
Each table has a series of boxes that define available computing platforms (operating system and architecture) as well as types of Splunk software. A '✔' (check mark) in a box that intersects your computing platform and Splunk software type means that Splunk software is available for that platform and type.
An empty box means that Splunk software is not available for that platform and type.
If you do not see the operating system or architecture that you are looking for in the list, the software is not available for that platform or architecture. This could mean that we have deprecated or ended support for that platform. See the list of deprecated and removed computing platforms in "Deprecated Features" in the Release Notes.
Some boxes have other characters. See the bottom of each table to learn what the characters mean.
1. Find the operating system on which you want to install Splunk Enterprise in the "Operating system" column.
2. Read across and find the computing architecture in the "Architecture" column that matches your environment.
3. Read across and find the version of Splunk software that you want to use: Splunk Enterprise, Splunk Free, Splunk Trial, or Splunk Universal Forwarder.
4. If Splunk software is available for the computing platform and Splunk type that you want, you can proceed to the download page to get it.
Unix operating systems
|Operating system||Architecture||Enterprise||Free||Trial||Universal Forwarder|
|Solaris 10 and 11*||x86 (64-bit)||✔||✔||✔||✔|
|Linux, 2.6 and later||x86 (64-bit)||✔||✔||✔||✔|
|Linux, 3.x and later||x86 (64-bit)||✔||✔||✔||✔|
|PowerLinux, 2.6 and later||PowerPC||✔|
|zLinux, 2.6 and later||s390x||✔|
|FreeBSD 7**||x86 (32-bit)||✔|
|FreeBSD 8||x86 (64-bit)||✔||✔||✔||✔|
|FreeBSD 9||x86 (64-bit)||✔||✔||✔||✔|
|Mac OS X 10.8, 10.9, and 10.10||Intel||✔||✔||✔|
|AIX 6.1 and 7.1||PowerPC||✔||✔||✔||✔|
|HP/UX† 11i v2 and 11i v3||Itanium||✔|
* Splunk Enterprise is available for Solaris 10. Solaris 11 does not support 32-bit Splunk Enterprise installs.
** See the notes on FreeBSD 7 compatibility below.
† You must use gnu
tar to unpack the HP/UX installation archive.
Windows operating systems
The table lists the Windows computing platforms that Splunk Enterprise supports.
|Operating system||Architecture||Enterprise||Free||Trial||Universal Forwarder|
|Windows Server 2003 and Server 2003 R2||x86 (64-bit)||✔|
|Windows Server 2008||x86 (64-bit)||✔||✔||✔||✔|
|Windows Server 2008 R2, Server 2012, and Server 2012 R2||x86 (64-bit)||✔||✔||✔||✔|
|Windows 7||x86 (64-bit)||✔||✔||✔|
|Windows 8||x86 (64-bit)||✔||✔||✔|
|Windows 8.1||x86 (64-bit)||✔||✔||✔|
*** Splunk supports but does not recommend using Splunk Enterprise on this platform and architecture.
Operating system notes and additional information
Certain parts of Splunk Enterprise on Windows require elevated user permissions to function properly. For information about what is required, see the following topics:
- "Splunk architecture and processes" in this manual.
- "Choose the user Splunk should run as" in this manual.
- "Considerations for deciding how to monitor remote Windows data" in Getting Data In.
To run Splunk 6.x on 32-bit FreeBSD 7.x, install the
compat6x libraries. Splunk Support supplies best effort support for users running on FreeBSD 7.x.
See "Install Splunk on FreeBSD 7" in the Community Wiki.
Deprecated operating systems and features
As we version the Splunk product, we gradually deprecate support of older operating systems. See "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed.
Creating and editing configuration files on non-UTF-8 OSes
Splunk Enterprise expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then ensure that the editor you are using is configured to save in ASCII/UTF-8.
IPv6 platform support
All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following:
- HP/UX on PA-RISC architecture
- Solaris 9
See "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.
Splunk Enterprise supports the following browsers:
- Firefox ESR (31.2) and latest
- Internet Explorer 9¶, 10, and 11
- Safari (latest)
- Chrome (latest)
Confirm that you have the latest version of Adobe Flash installed to render any charts that use options that the JSChart module does not support. For information, see "About JSChart" in Developing Views and Apps for Splunk Web.
¶ Internet Explorer version 9 does not support file uploads. Use IE version 10 or later.
If you are performing a comprehensive evaluation of Splunk Enterprise for production deployment, use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below.
For a discussion of hardware planning for production deployment, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual.
Splunk Enterprise and virtual machines
If you run Splunk Enterprise in a virtual machine (VM) on any platform, performance decreases. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk Enterprise needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing and search performance.
Recommended and minimum hardware capacity
The following requirements are accurate for a single instance installation with light to moderate use. For significant enterprise and distributed deployments, see the Capacity Planning Manual .
|Platform||Recommended hardware capacity/configuration||Minimum supported hardware capacity|
|Non-Windows platforms||2x six-core, 2+ GHz CPU, 12GB RAM, Redundant Array of Independent Disks (RAID) 0 or 1+0, with a 64 bit OS installed.||1x1.4GHz CPU, 1GB RAM|
|Windows platforms||2x six-core, 2+ GHz CPU, 12GB RAM, RAID 0 or 1+0, with a 64-bit OS installed.||Intel Nehalem CPU or equivalent at 2GHz, 2GB RAM|
RAID 0 disk configurations do not provide fault-tolerance. Confirm that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.
- All configurations other than universal and light forwarder instances require at least the recommended hardware configuration.
- The minimum supported hardware guidelines are designed for personal use of Splunk Enterprise. The requirements for Splunk Enterprise in a production environment are significantly higher.
Maintain a minimum of 5GB of hard disk space available on any Splunk instance, including forwarders, in addition to the space required for any indexes. See "Estimate your storage requirements" in the Capacity Planning Manual for more information. Failure to maintain this level of free space can result in degraded performance, operating system failure, and data loss.
Hardware requirements for universal and light forwarders
|Recommended||Dual-core 1.5GHz+ processor, 1GB+ RAM|
|Minimum||1.0Ghz processor, 512MB RAM|
Supported file systems
|Linux||ext2/3/4, reiser3, XFS, NFS 3/4|
|Solaris||UFS, ZFS, VXFS, NFS 3/4|
|FreeBSD||FFS, UFS, NFS 3/4, ZFS|
|Mac OS X||HFS, NFS 3/4|
|AIX||JFS, JFS2, NFS 3/4|
|HP-UX||VXFS, NFS 3/4|
If you run Splunk Enterprise on a file system that is not listed, the software might run a startup utility named
locktest to test the viability of the file system.
Locktest is a program that tests the start up process. If
locktest fails, then the file system is not suitable for running Splunk Enterprise.
Considerations regarding Network File System (NFS)
When you use Network File System (NFS) as a storage medium for Splunk indexing, consider all of the ramifications of file level storage.
Use block level storage rather than file level storage for indexing your data.
In environments with reliable, high-bandwidth, low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who choose this strategy should work with their hardware vendor to confirm that the storage platform they choose operates to the specification in terms of both performance and data integrity.
If you use NFS, be aware of the following issues:
- Do not use NFS to host hot or warm index buckets as a failure in NFS can cause data loss. NFS works best with cold or frozen buckets.
- Do not use NFS to share cold or frozen index buckets amongst an indexer cluster, as this potentially creates a single point of failure.
- Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can lead to data loss.
- Splunk Enterprise does not support "soft" NFS mounts. These are mounts that cause a program attempting a file operation on the mount to report an error and continue in case of a failure.
- Only "hard" NFS mounts (mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk Enterprise.
- Do not disable attribute caching. If you have other applications that require disabling or reducing attribute caching, then you must provide Splunk Enterprise with a separate mount with attribute caching enabled.
Considerations regarding file descriptor limits (FDs) on *nix systems
Splunk Enterprise allocates system-wide resources like file descriptors and user processes on *nix systems for monitoring, forwarding, deploying, searching, and other things. The
ulimit command controls access to these resources which must be set to acceptable levels for Splunk Enterprise to function properly on *nix systems.
The more tasks your Splunk Enterprise instance performs, the more resources it needs. You should increase the
ulimit values if you start to see your instance run into problems with low resource limits. See I get errors about ulimit in splunkd.log in the Troubleshooting Manual.
The following table shows the system-wide resources that the software uses. It provides the minimum recommended settings for these resources for instances that are not forwarders (such as indexers, search heads, cluster masters, license masters, deployment servers, and Monitoring Consoles (MC)).
|System-wide Resource||ulimit invocation||Recommended min. value|
|Data segment size||
On hosts that run FreeBSD, you might need to increase the kernel parameters for default and maximum process stack size. The following table shows the parameters that must be present in
/boot/loader.conf on the host.
|System-wide Resource||Kernel parameter||Recommended min. value|
|Default process data size (soft limit)||
|Maximum process data size (hard limit)||
This consideration is not applicable to Windows-based systems.
Considerations regarding solid state drives
Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.
Considerations regarding Common Internet File System (CIFS)/Server Message Block (SMB)
Splunk Enterprise supports the use of the CIFS/SMB protocol for the following purposes, on shares hosted by Windows hosts only:
- Search head pooling (Note: Search head pooling is a deprecated feature.)
- Storage of cold or frozen Index buckets.
When you use a CIFS resource for storage, confirm that the resource has write permissions for the user that connects to the resource at both the file and share levels. If you use a third-party storage device, ensure that its implementation of CIFS is compatible with the implementation that your Splunk Enterprise instance runs as a client.
Do not attempt to index data to a mapped network drive on Windows (for example "
Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter.
Considerations regarding environments that use the transparent huge pages memory management scheme
If you run a Unix environment that makes use of transparent huge memory pages, see "Transparent huge memory pages and Splunk performance" in the Release Notes before you attempt to install Splunk Enterprise.
No such scheme exists on Windows operating systems.
Splunk Enterprise architecture and processes
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15