Splunk® Enterprise

Installation Manual

Install on Linux

You can install Splunk Enterprise on Linux using RPM or DEB packages or a tar file, depending on the version of Linux your host runs.

To install the Splunk universal forwarder, see Install a *nix universal forwarder in the Universal Forwarder manual. The universal forwarder is a separate executable, with a different installation package and its own set of installation procedures.

Upgrading Splunk Enterprise

If you are upgrading, see How to upgrade Splunk Enterprise for instructions and migration considerations before you upgrade.

Tar file installation

What to know before installing with a tar file

Knowing the following items helps ensure a successful installation with a tar file:

  • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, either cd to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your host file system.
  • Splunk Enterprise does not create the splunk user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install.
  • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

Installation procedure

  1. Expand the tar file into an appropriate directory using the tar command:
    tar xvzf splunk_package_name.tgz

    The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

    tar xvzf splunk_package_name.tgz -C /opt

RedHat RPM installation

RPM packages are available for Red Hat, CentOS, and similar versions of Linux.

The rpm package does not provide any safeguards when you use it to upgrade. While you can use the --prefix flag to install it into a different directory, upgrade problems can occur If the directory that you specified with the flag does not match the directory where you initially installed the software.

After installation, software package validation commands (such as rpm -Vp <rpm_file> might fail because of intermediate files that get deleted during the installation process. To verify your Splunk installation package, use the splunk validate files CLI command instead.

  1. Confirm that the RPM package you want is available locally on the target machine.
  2. Verify that the Splunk Enterprise user account that will run the Splunk services can read and access the file.
  3. If needed, change permissions on the file.
    chmod 644 splunk_package_name.rpm
  4. Invoke the following command to install the Splunk Enterprise RPM in the default directory /opt/splunk.
    rpm -i splunk_package_name.rpm
  5. (Optional) To install Splunk in a different directory, use the --prefix argument.
    rpm -i --prefix=/<new_directory_prefix> splunk_package_name.rpm

    For example, if you want to install the files into /new_directory/splunk use the following command:

    rpm -i --prefix=/new_directory splunk_package_name.rpm

Replace an existing Splunk Enterprise installation with an RPM package

  • Run rpm with the --prefix flag and reference the existing Splunk Enterprise directory.
    rpm -i --replacepkgs --prefix=/splunkdirectory/ splunk_package_name.rpm

Automate RPM installation with Red Hat Linux Kickstart

  • If you want to automate an RPM install with Kickstart, edit the kickstart file and add the following.
    ./splunk start --accept-license
    ./splunk enable boot-start 

    The enable boot-start line is optional.

Debian .DEB installation

Prerequisites to installation

  • You can install the Splunk Enterprise Debian package only into the default location, /opt/splunk.
  • This location must be a regular directory, and cannot be a symbolic link.
  • You must have access to the root user or have sudo permissions to install the package.
  • The package does not create environment variables to access the Splunk Enterprise installation directory. You must set those variables on your own.

If you need to install Splunk Enterprise somewhere else, or if you use a symbolic link for /opt/splunk, then use a tar file to install the software.

Installation procedure

  • Run the dpkg installer with the Splunk Enterprise Debian package name as an argument.
    dpkg -i splunk_package_name.deb

Debian commands for showing installation status

Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Information on expected default shell and caveats for Debian shells

On later versions of Debian Linux (for example, Debian Squeeze), the default non-interactive shell is the dash shell. Splunk Enterprise expects to run commands using the bash shell, and bash to be available from /bin/sh. Using the dash shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed. If you run Debian Linux, consider changing your default shell to be bash.

To view an example on how to change the default shell to bash, see https://unix.stackexchange.com/questions/442510/how-to-use-bash-for-sh-in-ubuntu at StackExchange.

Next steps

Now that you have installed Splunk Enterprise:

Uninstall Splunk Enterprise

To learn how to uninstall Splunk Enterprise, see Uninstall Splunk Enterprise.

Last modified on 11 April, 2023
Change the user selected during Windows installation   Install on MacOS

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters