Splunk® Enterprise

Installation Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Install on Mac OS X

You can install Splunk Enterprise on Mac OS X using a DMG package, or a tar file.


If you are upgrading, review "How to upgrade Splunk Enterprise" for instructions and migration considerations before proceeding.

Installation options

The Mac OS build comes in two forms: a DMG package and a tar file. Below are instructions for the:

  • Graphical (basic) and command line installs using the DMG file.
  • tar file install.

Note: if you require two installations in different locations on the same host, use the tar file. The pkg installer cannot install a second instance. If one exists, it will remove it upon successful install of the second.

Graphical install

1. Double-click on the DMG file.

A Finder window containing splunk.pkg opens.

2. In the Finder window, double-click on splunk.pkg.

The Splunk Enterprise installer opens and displays the Introduction, which lists version and copyright information.

3. Click Continue.

The Select a Destination window opens.

4. Choose a location to install Splunk Enterprise.

  • To install in the default directory, /Applications/splunk, click on the harddrive icon.
  • To select a different location, click Choose Folder...

5. Click Continue.

The pre-installation summary displays. If you need to make changes,

  • Click Change Install Location to choose a new folder, or
  • Click Back to go back a step.

6. Click Install.

Your installation will begin. It might take a few minutes.

7. When your install completes, click Finish. The installer places a shortcut on the Desktop.

Command line install

Use the following instructions to install from a Terminal window.

Important: To install Splunk Enterprise on Mac OS X from the command line, you must use the root user, or elevate privileges using the sudo command. If you use sudo, your account must be an Admin-level account.

1. To mount the dmg:
sudo hdid splunk_package_name.dmg

The Finder mounts the disk image onto the desktop. The image is available under /Volumes/SplunkForwarder <version> (note the space).

2. To Install

  • To the root volume:
cd /Volumes/SplunkForwarder\ <version>
sudo installer -pkg .payload/splunk.pkg -target /

Note: There is a space in the disk image's name. Use a backslash to escape the space or wrap the disk image name in quotes.

  • To a different disk of partition:
cd /Volumes/SplunkForwarder\ <version>
sudo installer -pkg .payload/splunk.pkg -target /Volumes\ Disk

Note: There is a space in the disk image's name. Use a backslash to escape the space or wrap the disk image name in quotes.

-target specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk.

To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above.

tar file install

To install Splunk Enterprise on Mac OS X, expand the tar file into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /Applications/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /Applications

Note: When you install Splunk Enterprise with a tar file:

  • Splunk Enterprise does not create the splunk user automatically. If you want it to run as a specific user, you must create the user manually before installing.
  • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

Start Splunk

Splunk Enterprise can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify.

Start Splunk Enterprise from the Finder

To start Splunk Enterprise from the Finder, double-click the Splunk icon on the Desktop to launch the helper application, entitled "Splunk's Little Helper".

Note: The first time you run the helper application, it notifies you that it needs to perform a brief initialization. Click OK to allow Splunk Enterprise to initialize and set up the trial license.

Once the helper application loads, it displays a dialog that offers several choices:

  • Start and Show Splunk: This option starts Splunk Enterprise and directs your web browser to open a page to Splunk Web.
  • Only Start Splunk: This choice starts Splunk Enterprise, but does not open Splunk Web in a browser.
  • Cancel: Tells the helper application to quit. This does not affect the Splunk Enterprise instance itself, only the helper application.

Once you make your choice, the Splunk helper application performs the requested application and terminates. You can run the helper application again to either show Splunk Web or stop Splunk.

The helper application can also be used to stop Splunk if it is already running.

Start Splunk Enterprise from the command line

To start Splunk Enterprise from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk Enterprise):

 ./splunk start

By convention, this document uses:

  • $SPLUNK_HOME to identify the path to your Splunk installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Startup options

The first time you start Splunk Enterprise after a new installation, you must accept the license agreement. To start Splunk Enterprise and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

Launch Splunk Web and log in

After you start Splunk Enterprise and accept the license agreement,

1. In a browser window, access Splunk Web at

  • hostname is the host machine.
  • port is the port you specified during the installation (the default port is 8000).

2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?

Now that you've installed Splunk Enterprise, what comes next?

Uninstall Splunk Enterprise

To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Last modified on 05 February, 2016
Install on Solaris
Install the universal forwarder on FreeBSD

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters