Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install the universal forwarder on FreeBSD

Important: Splunk does not offer an installation package for Splunk Enterprise version 6.3.0 or later on FreeBSD. It does, however, offer a universal forwarder installation package for FreeBSD versions 8, 9, and 10. These instructions detail how to install the universal forwarder on those versions of FreeBSD.

To use Splunk Enterprise on FreeBSD, you must download an older version of the Splunk software.

Prerequisites

For FreeBSD 8, only, the universal forwarder requires compatibility packages. To install the compatibility package:

1. Install the port:

portsnap fetch update

cd /usr/ports/misc/compat7x/ && make install clean

2. Add the package:

pkg_add -r compat7x-amd64

Basic install

Note: These instructions are for installing the universal forwarder only. There is no current version of Splunk Enterprise available for FreeBSD.

FreeBSD best practices maintain a small root filesystem. You might want to create a symbolic link to another filesystem and install Splunk there, rather than attempting to install in /opt.

1. Confirm that the /opt/splunkforwarder directories exist. If they do not, create them or link to another file system from there.

2. Install the universal forwarder on FreeBSD using the intel installer:

pkg_add splunkforwarder-intel.tgz

Important: This installs Splunk Enterprise in the default directory, /opt/splunkforwarder. If /opt does not exist and you have not created it, you might receive an error message.

To install Splunk Enterprise in a different directory:

pkg_add -v -p /usr/splunk splunkforwarder-intel.tgz

Tar file

Note: These instructions are for installing the universal forwarder tar file only. There is no current version of Splunk Enterprise available for FreeBSD.

Expand the universal forwarder tar file into an appropriate directory using the tar command. The default install directory is splunkforwarder in the current working directory.

tar xvzf splunkforwarder.tgz

To install into /opt/splunkforwarder, execute:

tar xvzf splunkforwarder.tgz -C /opt

Note: When you install the universal forwarder with a tar file:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunkforwarder, either cd to /opt or place the tar file in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem.
  • The forwarder does not create the splunk user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually before installing.
  • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

After you install

To ensure that the forwarder functions properly on FreeBSD, you must:

1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GB
kern.dfldsiz="2147483648" # 2GB
machdep.hlt_cpus=0 

2. Add the following to /etc/sysctl.conf:

vm.max_proc_mmap=2147483647

You must restart FreeBSD for the changes to effect.

If your server has less than 2 GB of memory, reduce the values accordingly.

Start the universal forwarder

The universal forwarder can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify.

To start the forwarder from the command line interface, run the following command from the $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk Enterprise):

 ./splunk start

By convention, this document uses:

  • $SPLUNK_HOME to identify the path to your Splunk Enterprise installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

PREVIOUS
Install on Mac OS X
  NEXT
Install the universal forwarder on AIX

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters