Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 will no longer be supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Change default values

Before you begin configuring Splunk Enterprise for your environment, review the following default settings.

Set or change environment variables

Use operating system environment variables to modify specific default values for the Splunk Enterprise services.

  • On *nix, use the setenv or export commands to set a particular variable. For example:
    # export SPLUNK_HOME = /opt/splunk02/splunk
    To modify the environment permanently, edit your shell initialization file, and add entries for the variables you want Splunk Enterprise to use when it starts up.
  • On Windows, use the set environment variable in either a command prompt or PowerShell window:
    C:\> set SPLUNK_HOME = "C:\Program Files\Splunk"
    To set the environment permanently, use the "Environment Variables" window, and add an entry to the "User variables" list.

Windows EnvironmentVariablesList.png

Several environment variables are available:

Environment variable Purpose
SPLUNK_HOME The fully qualified path to the Splunk Enterprise installation directory.
SPLUNK_DB The fully qualified path to the root directory that contains the Splunk Enterprise indexes.
SPLUNK_BINDIP The host IP address that Splunk Enterprise should bind to on startup. On hosts with multiple IP addresses, this is used to limit accepted connections to one IP address.
SPLUNK_OS_USER Tells Splunk Enterprise to assume the credentials of the user you specify, regardless of what user you started it as. For example, if you specify the SPLUNK_OS_USER 'splunk' but start Splunk Enterprise as root, the system adopts the privileges of the 'splunk' user, and any files written by those processes will be owned by the 'splunk' user.
SPLUNK_SERVER_NAME The name of the splunkd service (on Windows) or process (on *nix). Do not set this variable unless you know what you are doing.
SPLUNK_WEB_NAME The name of the splunkweb service (on Windows) or process (on *nix). Do not set this variable unless you know what you are doing.

Note: You can set these environment variables in the splunk-launch.conf or web.conf. This is useful when you run more than one Splunk software instance on a host. See splunk-launch.conf.

Change network ports

Splunk Enterprise configures default TCP ports during installation:

  • The HTTP/HTTPS port. This port provides the socket for Splunk Web. It defaults to 8000.
  • The appserver port. 8065 by default.
  • The management port. This port is used to communicate with the splunkd daemon. Splunk Web talks to splunkd on this port, as does the command line interface, and any distributed connections from other servers. This port defaults to 8089.
  • The KV store port. 8191 by default.

The default network ports are recommendations, and might not represent what your Splunk Enterprise instance is using. During the Splunk Enterprise installation, if any default port is detected as in-use, you are prompted to provide alternative port assignments.

Splunk instances that are receiving data from forwarders must be configured with a receiver port. The receiver port only listens for incoming data from forwarders. Configuration of the receiver port does not occur during installation. For more information, see Enable a receiver in the Forwarding Data Manual.

Use Splunk Web

To change the ports from their installation settings:

  1. Log into Splunk Web as the admin user.
  2. Click Settings.
  3. Click Server settings.
  4. Click General settings.
  5. Change the value for either Management port or Web port, and click Save.

Use Splunk CLI

To change the port settings using the Splunk CLI, use the CLI command set. For example, this sets the Splunk Web port to 9000:

splunk set web-port 9000

This command sets the splunkd port to 9089:

splunk set splunkd-port 9089

Change the default Splunk server name

The Splunk server name setting controls both the name that is displayed within Splunk Web, and the name that is sent to other Splunk Servers in a distributed deployment. The name is chosen from either the DNS or IP address of the Splunk Server host by default.

Use Splunk Web

To change the Splunk server name:

  1. Log into Splunk Web as the admin user.
  2. Click Settings.
  3. Click Server settings.
  4. Click General settings.
  5. Change the value for Splunk server name, and click Save.

Use Splunk CLI

To change the server name using the CLI, use the set servername command. For example, this sets the server name to foo:

splunk set servername foo

Set minimum free disk space

The minimum free disk space setting controls how low storage space in the datastore location can fall before Splunk software stops indexing. Splunk software resumes indexing when available space exceeds this threshold.

Use Splunk Web

To set minimum free storage space:

  1. Log into Splunk Web as the admin user.
  2. Click Settings.
  3. Click Server settings.
  4. Click General settings.
  5. Change the value for Pause indexing if free disk space (in MB) falls below, and click Save.

Use Splunk CLI

To change the minimum free space value using the CLI, use the set minfreemb command. For example, this sets the minimum free space to 2000 MB:

splunk set minfreemb 2000

Set the default time range

The default time range for ad hoc searches in the Search & Reporting App is set to Last 24 hours. A Splunk Enterprise administrator can set the default time range globally, across all apps. Splunk Cloud Platform customers cannot configure this setting directly. The setting is stored in $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf file in the [general_default] stanza.

This setting applies to all Search pages in Splunk Apps, not only the Search & Reporting App. This setting applies to all user roles.

This setting does not apply to dashboards.

Use Splunk Web

  1. Log into Splunk Web as the admin user.
  2. Click Settings.
  3. Click Server settings.
  4. Click Search Preferences.
  5. From the Default search time range drop-down, select the time that you want to use and click Save.

Time range settings in the ui_prefs.conf file

You might already have a time range setting defined in the ui-prefs.conf file for a specific application or user. The settings in the ui-prefs.conf file take precedence over any settings that you make to the global default time range using Splunk Web.

However, if you want to use the global default time range for all users and applications, consider removing the settings that you have in the ui-prefs.conf file. See ui-prefs.conf.

Other default settings

The Settings screen offers additional pages with default settings for you to change. Explore the screen to see the range of options.

Last modified on 23 July, 2021
PREVIOUS
Install your license
  NEXT
Bind Splunk to an IP

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters