Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install on Windows

This topic describes the procedure for installing Splunk Enterprise on Windows with the Graphical User Interface (GUI)-based installer. More options (such as silent installation) are available if you install from the command line. If you want to install the Splunk universal forwarder, see "Universal forwarder deployment overview" in the Forwarding Data manual.

Note: You can no longer install or run the 32-bit version of Splunk Enterprise for Windows on a 64-bit Windows system. You also cannot install Splunk Enterprise on a machine that runs an unsupported OS (for example, on a machine that runs Windows Server 2003.) See "System requirements."

If you attempt to run the installer in such a way, it warns you and prevents the installation.

Upgrading?

If you plan to upgrade Splunk Enterprise, see "How to upgrade Splunk" for instructions and migration considerations before proceeding.

Note that Splunk Enterprise does not support changing the management or HTTP ports during an upgrade.

Before you install

Choose the Windows user Splunk should run as

Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs. The user you choose has specific ramifications on what you need to do prior to installing the software, and more details can be found there.

Splunk Enterprise for Windows and anti-virus software

The Splunk Enterprise indexing subsystem requires lots of disk throughput. Any software with a device driver that intermediates between Splunk Enterprise and the operating system can rob Splunk Enterprise of processing power, causing slowness and even an unresponsive system. This includes anti-virus software.

It's extremely important to configure such software to avoid on-access scanning of Splunk Enterprise installation directories and processes, before starting a Splunk installation.

Consider installing Splunk software into a directory with a short path name

By default, the Splunk MSI file installs the software to \Program Files\Splunk on the system drive (the drive that booted your Windows machine.) While this directory is fine for many Splunk software installations, it might be problematic for installations that run in distributed deployments or that employ advanced Splunk features such as search-head or indexer clustering.

The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration.

To work around this problem, if you know that the instance will be a member of a search head or indexer cluster, consider installing the software into a directory with a short path length, for example C:\Splunk or D:\SPL.

Install Splunk Enterprise via the GUI installer

The Windows installer is an MSI file.

1. To start the installer, double-click the splunk.msi file.

The installer runs and displays the Splunk Enterprise Installer panel.

62 SplunkInstaller.png

2. To continue the installation, check the "Check this box to accept the License Agreement" checkbox. This activates the "Customize Installation" and "Install" buttons.

Note: If you want to view the license agreement, click on the "View License Agreement" button.

Installation Options

The Windows installer gives you two choices: Install with the default installation settings, or configure all settings prior to installing.

The installer does the following by default:

  • Installs Splunk Enterprise in \Program Files\Splunk on the system drive (the drive that booted your Windows system.)
  • Installs Splunk Enterprise with the default management and Web ports.
  • Configures Splunk Enterprise to run as the Local System user. Read "Choose the user Splunk Enterprise should run as" in this manual to understand the ramifications.
  • Creates a Start Menu shortcut for the software.

3. If you want to change any of these default installation settings, click the "Customize Options" button and proceed with the instructions in "Customize Options" in this topic. Otherwise, click the "Install" button to install the software with the defaults and continue with "Complete the install" later in this topic.

Customize Options

This section describes the options you can customize during the installation.

By default, the installer puts Splunk Enterprise into \Program Files\Splunk on the system drive. This documentation set refers to the Splunk Enterprise installation directory as $SPLUNK_HOME or %SPLUNK_HOME%.

Splunk Enterprise installs and runs two Windows services, splunkd and splunkweb. On version 6.2 and later, the splunkd service handles all Splunk Enterprise operations, and the splunkweb service installs to run only in legacy mode.

These services install and run as the user you specify on the "Choose the user Splunk Enterprise should run as" panel. You can choose to run Splunk Enterprise as the Local System user, or another user.

The installer displays the "Install Splunk Enterprise to" panel.

62 SplunkInstaller Location.png

1. Click "Change…" to specify a different location to install Splunk Enterprise, or click "Next" to accept the default value.

The installer displays the "Choose the user Splunk Enterprise should run as" panel.

62 SplunkInstaller Chooseuser.png

2. Select a user type and click Next.

If you selected the Local System user, proceed to Step 7. Otherwise, the installer displays the Logon Information: specify a username and password panel.

62 SplunkInstaller SpecifyCredentials.png

3. Specify user credentials and click Next. The installer displays the installation summary panel.

Note: You must specify the user name in domain\username format. Failure to include the domain name when specifying the user will cause the installation to fail. This must be a valid user in your security context, and must be an active member of an Active Directory domain. Splunk Enterprise must run under either the Local System account or a valid user account with a valid password and local administrator privileges.

62 SplunkInstaller Summary.png

4. Click "Install" to proceed.

Complete the installation

The installer runs and displays the Installation Complete panel.

62 SplunkInstaller Complete.png

If you specified the wrong user during the installation procedure, you will see two pop-up error windows explaining this. If this occurs, Splunk Enterprise installs itself as the Local System user by default. Splunk Enterprise does not start automatically in this situation. You can proceed through the final panel of the installation, but uncheck the "Launch browser with Splunk" checkbox to prevent your browser from launching. Then, use these instructions to switch to the correct user before starting Splunk.

1. (Optional) Check the boxes to Launch browser with Splunk and Create Start Menu Shortcut.

2. Click Finish.

The installation completes, Splunk Enterprise starts and launches in a supported browser if you checked the appropriate box.

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme. Do not use the username and password you provided during the installation process.

Launch Splunk in a Web browser

To access Splunk Enterprise after you start it on your machine, you can either:

  • Click the Splunk icon in Start > Programs > Splunk

or

Log in using the default credentials: username: admin and password: changeme.

The first time you log into Splunk Enterprise successfully, it prompts you right away to change your password. You can do so by entering a new password and clicking the Change password button, or you can do it later by clicking the Skip button.

Note: If you do not change your password, remember that anyone who has access to the machine and knows the default password can access your Splunk instance. Be sure to change the admin password as soon as possible and make a note of what you changed it to.

Avoid Internet Explorer Enhanced Security pop-ups

If you're using Internet Explorer to access Splunk Web, add the following URLs to the allowed Intranet group or fully trusted group to avoid getting "Enhanced Security" pop-ups:

  • quickdraw.splunk.com
  • the URL of your Splunk Enterprise instance

Change the Splunk Web or splunkd service ports

If you want the Splunk Web service or the splunkd service to use a different port, you can change the defaults.

To change the Splunk Web service port:

  • Open a command prompt.
  • Change to the %SPLUNK_HOME%\bin directory.
  • Type in splunk set web-port #### and press Enter.

To change the splunkd port:

  • Open a command prompt, if one isn't already.
  • Change to the %SPLUNK_HOME%\bin directory.
  • Type in splunk set splunkd-port #### and press Enter.

Note: If you specify a port and that port is not available, or if the default port is unavailable, Splunk will automatically select the next available port.

Install or upgrade license

If you are performing a new installation of Splunk Enterprise or switching from one license type to another, you must install or update your license.

What's next?

Now that you've installed Splunk Enterprise, you can find out what comes next, or you can review these topics in the Getting Data In Manual for information on adding Windows data:

PREVIOUS
Prepare your Windows network to run Splunk Enterprise as a network or domain user
  NEXT
Install on Windows using the command line

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters