Install on Linux
You can install Splunk Enterprise on Linux using RPM or DEB packages or a tar file, depending on the version of Linux your host runs.
To install the Splunk universal forwarder, see Install a *nix universal forwarder in the Universal Forwarder manual. The universal forwarder is a separate executable, with a different installation package and its own set of installation procedures.
Upgrading Splunk Enterprise
If you are upgrading, see How to upgrade Splunk Enterprise for instructions and migration considerations before you upgrade.
Tar file installation
What to know before installing with a tar file
Knowing the following items helps ensure a successful installation with a tar file:
- Some non-GNU versions of
tar
might not have the-C
argument available. In this case, to install in/opt/splunk
, eithercd
to/opt
or place the tar file in/opt
before you run thetar
command. This method works for any accessible directory on your host file system. - Splunk Enterprise does not create the
splunk
user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install. - Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
Installation procedure
- Expand the tar file into an appropriate directory using the
tar
command:tar xvzf splunk_package_name.tgz
The default installation directory is
splunk
in the current working directory. To install into/opt/splunk
, use the following command:tar xvzf splunk_package_name.tgz -C /opt
RedHat RPM installation
RPM packages are available for Red Hat, CentOS, and similar versions of Linux.
The rpm
package does not provide any safeguards when you use it to upgrade. While you can use the --prefix
flag to install it into a different directory, upgrade problems can occur If the directory that you specified with the flag does not match the directory where you initially installed the software.
After installation, software package validation commands (such as rpm -Vp <rpm_file>
might fail because of intermediate files that get deleted during the installation process. To verify your Splunk installation package, use the splunk validate files
CLI command instead.
- Confirm that the RPM package you want is available locally on the target machine.
- Verify that the Splunk Enterprise user account that will run the Splunk services can read and access the file.
- If needed, change permissions on the file.
chmod 644 splunk_package_name.rpm
- Invoke the following command to install the Splunk Enterprise RPM in the default directory
/opt/splunk
.
rpm -i splunk_package_name.rpm
- (Optional) To install Splunk in a different directory, use the
--prefix
argument.
rpm -i --prefix=/<new_directory_prefix> splunk_package_name.rpm
For example, if you want to install the files into
/new_directory/splunk
use the following command:
rpm -i --prefix=/new_directory splunk_package_name.rpm
Replace an existing Splunk Enterprise installation with an RPM package
- Run
rpm
with the--prefix
flag and reference the existing Splunk Enterprise directory.
rpm -i --replacepkgs --prefix=/splunkdirectory/ splunk_package_name.rpm
Automate RPM installation with Red Hat Linux Kickstart
- If you want to automate an RPM install with Kickstart, edit the kickstart file and add the following.
./splunk start --accept-license ./splunk enable boot-start
The
enable boot-start
line is optional.
Debian .DEB installation
Prerequisites to installation
- You can install the Splunk Enterprise Debian package only into the default location,
/opt/splunk
. - This location must be a regular directory, and cannot be a symbolic link.
- You must have access to the root user or have sudo permissions to install the package.
- The package does not create environment variables to access the Splunk Enterprise installation directory. You must set those variables on your own.
If you need to install Splunk Enterprise somewhere else, or if you use a symbolic link for /opt/splunk
, then use a tar file to install the software.
Installation procedure
- Run the
dpkg
installer with the Splunk Enterprise Debian package name as an argument.
dpkg -i splunk_package_name.deb
Debian commands for showing installation status
Splunk package status:
dpkg --status splunk
List all packages:
dpkg --list
Information on expected default shell and caveats for Debian shells
On later versions of Debian Linux (for example, Debian Squeeze), the default non-interactive shell is the dash
shell. Splunk Enterprise expects to run commands using the bash
shell, and bash
to be available from /bin/sh
. Using the dash
shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed. If you run Debian Linux, consider changing your default shell to be bash
.
To view an example on how to change the default shell to bash, see https://unix.stackexchange.com/questions/442510/how-to-use-bash-for-sh-in-ubuntu at StackExchange.
Next steps
Now that you have installed Splunk Enterprise:
- Start it and create administrator credentials. See Start Splunk Enterprise for the first time.
- Configure it to start at boot time. See Configure Splunk software to start at boot time.
- Learn what comes next. See what happens next?
Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, see Uninstall Splunk Enterprise.
Change the user selected during Windows installation | Install on Mac OS X |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!