Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Install on Windows using the command line

You can install Splunk Enterprise on Windows from the command line. If you want to install the Splunk universal forwarder, see "Universal forwarder deployment overview" in the Forwarding Data manual.

Run 64-bit Splunk Enterprise on 64-bit hardware. You cannot run the 32-bit installer on a 64-bit system. If you attempt this, the installer quits with an error.

When to install from the command line

You can manually install Splunk Enterprise on individual machines from a command prompt or PowerShell window. Here are some scenarios where installing from the command line is useful:

  • You want to install Splunk Enterprise, but do not want it to start right away.
  • You want to automate installation of Splunk Enterprise with a script.
  • You want to install Splunk Enterprise on a system that you will clone later.
  • You want to use a deployment tool such as Group Policy or System Center Configuration Manager.
  • You want to install Splunk Enterprise on a system that runs a version of Windows Server Core.

Install using PowerShell

You can install Splunk Enterprise from a PowerShell window. The steps to do so are identical to those that you use to install from a command prompt.

Upgrading?

To upgrade Splunk Enterprise, review "How to upgrade Splunk" for instructions and migration considerations.

Be aware that Splunk Enterprise does not support changing the management or HTTP ports during an upgrade.

Before you install

Choose the Windows user Splunk Enterprise should run as

Before you install, see "Choose the Windows user Splunk Enterprise should run as" to determine which user account Splunk Enterprise should run as to address your data collection needs. The user you choose has specific ramifications on what you need to do before you install the software.

Prepare your domain for a Splunk Enterprise installation as a domain user

Before you install, see "Prepare your Windows network for a Splunk Enterprise installation as a network or domain user" for instructions about how to configure your domain to run Splunk Enterprise.

Disable or limit antivirus software if able

The Splunk Enterprise indexing subsystem requires a lot of disk throughput. Antivirus software or any software with a device driver that intermediates between Splunk Enterprise and the operating system, can significantly decrease processing power, causing slowness and even an unresponsive system.

It is important to configure such software to avoid on-access scanning of Splunk Enterprise installation directories and processes, before you start an installation.

Consider installing Splunk software into a directory with a short path name

By default, the Splunk MSI file installs the software to \Program Files\Splunk on the system drive (the drive that booted your Windows machine.) While this directory is fine for many Splunk software installations, it might be problematic for installations that run in distributed deployments or that employ advanced Splunk features such as search-head or indexer clustering.

The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration.

To work around this problem, if you know that the instance will be a member of a search head or indexer cluster, consider installing the software into a directory with a short path length, for example C:\Splunk or D:\SPL.

Install Splunk Enterprise from the command line

Invoke msiexec.exe to install Splunk Enterprise from the command line or PowerShell prompt.

For 32-bit platforms, use splunk-<...>-x86-release.msi: 

msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]

For 64-bit platforms, use splunk-<...>-x64-release.msi: 

msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]

The value of <...> varies according to the particular release; for example, splunk-6.3.2-aaff59bb082c-x64-release.msi.

Command-line flags let you configure Splunk Enterprise at installation. Using command-line flags, you can specify a number of settings, including but not limited to:

  • Which Windows event logs to index.
  • Which Windows Registry hives to monitor.
  • Which Windows Management Instrumentation (WMI) data to collect.
  • The user Splunk Enterprise runs as. See "Choose the Windows user Splunk Enterprise should run as" for information about what type of user you should install your Splunk instance with.
  • An included application configuration for Splunk to enable (such as the light forwarder.)
  • Whether Splunk Enterprise should start automatically when the installation is finished.

Supported flags

The following is a list of the flags you can use when installing Splunk for Windows via the command line.

The Splunk universal forwarder is a separate executable, with its own installation flags. See the supported installation flags for the universal forwarder in "Deploy a Windows universal forwarder from the command line" in the Forwarding Data manual.

Flag Purpose Default
AGREETOLICENSE=Yes|No Use this flag to agree to the EULA. This flag must be set to Yes for a silent installation. No
INSTALLDIR="<directory_path>" Use this flag to specify directory to install. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set. C:\Program Files\Splunk
SPLUNKD_PORT=<port number> Use these flags to specify alternate ports for splunkd and splunkweb to use.

Note: If you specify a port and that port is not available, Splunk automatically selects the next available port.

8089
WEB_PORT=<port number> Use these flags to specify alternate ports for splunkd and splunkweb to use.

Note: If you specify a port and that port is not available, Splunk will automatically select the next available port.

8000


WINEVENTLOG_APP_ENABLE=1/0

WINEVENTLOG_SEC_ENABLE=1/0

WINEVENTLOG_SYS_ENABLE=1/0

WINEVENTLOG_FWD_ENABLE=1/0

WINEVENTLOG_SET_ENABLE=1/0

Use these flags to specify whether or not Splunk should index a particular Windows event log:

Application log

Security log

System log

Forwarder log

Setup log

Note: You can specify multiple flags.

0 (off)


REGISTRYCHECK_U=1/0

REGISTRYCHECK_BASELINE_U=1/0

Use this flag to specify whether or not Splunk should

index events from

capture a baseline snapshot of

the Windows Registry user hive (HKEY_CURRENT_USER).

Note: You can set both of these at the same time.

0 (off)


REGISTRYCHECK_LM=1/0

REGISTRYCHECK_BASELINE_LM=1/0

Use this flag to specify whether or not Splunk should

index events from

capture a baseline snapshot of

the Windows Registry machine hive (HKEY_LOCAL_MACHINE).

Note: You can set both of these at the same time.

0 (off)


WMICHECK_CPUTIME=1/0

WMICHECK_LOCALDISK=1/0

WMICHECK_FREEDISK=1/0

WMICHECK_MEMORY=1/0

Use these flags to specify which popular WMI-based performance metrics Splunk should index:

CPU usage

Local disk usage

Free disk space

Memory statistics

Note: If you need this instance of Splunk to monitor remote Windows data, then you must also specify the LOGON_USERNAME and LOGON_PASSWORD installation flags. Splunk can not collect any remote data that it does not have explicit access to. Additionally, the user you specify requires specific rights, administrative privileges, and additional permissions, which you must configure before installation. Read "Choose the Windows user Splunk should run as" in this manual for additional information about the required credentials.

There are many more WMI-based metrics that Splunk can index. Review "Monitor WMI Data" in the Getting Data In Manual for specific information.

0 (off)
LOGON_USERNAME="<domain\username>"

LOGON_PASSWORD="<pass>"

Use these flags to provide domain\username and password information for the user that Splunk will run as. The splunkd and splunkweb services are configured with these credentials. For the LOGON_USERNAME flag, you must specify the domain with the username in the format "domain\username."

These flags are mandatory if you want this Splunk Enterprise installation to monitor any remote data. Review "Choose the Windows user Splunk should run as" in this manual for additional information about which credentials to use.

none
SPLUNK_APP="<SplunkApp>" Use this flag to specify an included Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder and SplunkForwarder. These specify that this instance of Splunk will function as a light forwarder or heavy forwarder, respectively. Refer to the "About forwarding and receiving" topic in the Forwarding Data manual for more information.

If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>".

To install Splunk Enterprise with no applications at all, omit this flag.

Note: The full version of Splunk does not enable the universal forwarder. The universal forwarder is a separate downloadable executable, with its own installation flags.

none
FORWARD_SERVER="<server:port>" Use this flag only when you also use the SPLUNK_APP flag to enable either the Splunk heavy or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data. none
DEPLOYMENT_SERVER="<host:port>" Use this flag to specify a deployment server for pushing configuration updates. Enter the deployment server's name (hostname or IP address) and port. none
LAUNCHSPLUNK=0/1 Use this flag to specify whether or not Splunk should start up automatically on system boot.

Note: If you enable the Splunk Forwarder by using the SPLUNK_APP flag, the installer configures Splunk to start automatically, and ignores this flag.

1 (on)
INSTALL_SHORTCUT=0/1 Use this flag to specify whether or not the installer should create a shortcut to Splunk on the desktop and in the Start Menu. 1 (on)

Silent installation

To run the installation silently, add /quiet to the end of your installation command string. If your system has User Access Control enabled (the default on some systems), you must run the installation as Administrator. To do this:

  • When opening a command prompt or PowerShell window, right click and select "Run As Administrator".
  • Use this command window to run the silent install command.

Examples

The following are some examples of using different flags.

Silently install Splunk Enterprise to run as the Local System user

msiexec.exe /i Splunk.msi /quiet

Enable the Splunk heavy forwarder and specify credentials for the user Splunk Enterprise will run as

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, enable indexing of the Windows System event log, and run the installer in silent mode

msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet

Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.

Avoid Internet Explorer (IE) Enhanced Security pop-ups

To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE:

  • quickdraw.splunk.com
  • the URL of your Splunk instance

What's next?

Now that you've installed Splunk Enterprise, what comes next?

You can also review this topic about considerations for deciding how to monitor Windows data in the Getting Data In manual.

PREVIOUS
Install on Windows 		  NEXT
Change the user selected during Windows installation

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters