Installing & Running Splunk

Table of Contents

Now we'll cover a quick overview of installing Splunk on your personal machine so you can try it out. To know the real nitty-gritty of each platform, deploying in a multi-machine architecture, and for anything more complicated than hitting "Next", check out the Installation Manual on our documentation site.

Minimum Requirements

Platforms: most flavors of Windows, MacOSX, and Linux, as well as specific FreeBSD and AIX versions.

Supported web browsers: most versions of Firefox, Internet Explorer, and Safari.

Hardware: basic rule: don't have a crap machine. Crap machines equal crap experience. A $1000 Windows laptop or a $2000 Mac laptop is good enough to try things out. When you're really ready to deploy Splunk, you'll want multi-core machines with 8GB, fast disks, and 64-bit OS. If you've got Windows95 on a 1MB x486, please go away.

Licensing

When you download Splunk for the first time, you get all of the Enterprise features of Splunk for 60 days and you can index up to 500 megabytes of data per day. At anytime you can convert to a perpetual Free License or purchase an Enterprise License to continue using the expanded enterprise functionality, namely: multiple user accounts, distributed architecture and deployment for greater scaling, summary indexing for faster reporting, and scheduled searches and alerts.

Installation

Below we'll briefly walk-through the graphic installers for Windows and MacOS. For commandline installations, installations on other platforms, or if you encounter problems, refer to the Splunk installation manual.

Windows

The Windows installer is an MSI file.

  1. To start the installer, double-click the splunk.msi file. The Welcome panel is displayed. To begin the installation, click Next.
  2. Accept the license agreement. We're nice people. Click Next.
  3. Enter the requested information on the Customer Information panel. Click Next.
  4. The Destination Folder panel is displayed. By default, splunk is installed into the \Program Files\Splunk. Click Change, to specify a different location to install Splunk. Click Next.
  5. The Logon Information panel is displayed. Splunk installs and runs two Windows services, splunkd and splunkweb. These services will be installed and run as the user you specify on this panel. You can choose to run Splunk with Local System credentials, or provide a specific account. The user Splunk runs as must have permissions to: Run as a service, Read whatever files you are configuring it to monitor, Collect performance or other WMI data, and Write to Splunk's directory - that's usually your Domain Admin account.
  6. Select a user type and click Next.
  7. Click Install to proceed. The installer runs and displays the Installation Complete panel.
  8. Check the boxes to Start Splunk and Start Splunk Web now. Click Finish.
  9. The installation completes, Splunk starts, and Splunk Web launches in a supported browser.

MacOS

Below are instructions for the Graphical installation using the DMG file:

  1. Double-click on the DMG file. A Finder window containing splunk.pkg opens.
  2. In the Finder window, double-click on splunk.pkg. The Splunk installer opens and displays the Introduction. Click Continue.
  3. In the Select a Destination window, choose a location to install Splunk. To install in the default directory, /Applications/splunk, click on the harddrive icon.

Uninstall Splunk

Refer to the installation manual for uninstalling. Tarzan sad.

Starting Splunk

Starting up Splunk

Splunk can run as any user on the local system, but you'll obviously want to make sure that that user has access to the data you want to use.

Windows

You can start and stop the following Splunk processes via the Windows Services Manager:

  • Server daemon: splunkd
  • Web interface: splunkweb

MacOS and Windows

You can start Splunk by opening a shell and going to the $SPLUNK_HOME/bin directory, where $SPLUNK_HOME is the directory into which you installed Splunk (on windows $SPLUNK_HOME defaults to "\Program Files\Splunk"), and typing in:

$ splunk start

You can stop or restart Splunk similarly:

$ splunk stop $ splunk restart

Access the Web Interface

After you start Splunk and accept the license agreement, access the Splunk web interface at

http://localhost:8000

If you're not running Splunk on same machine as you're browsing on, or if you're using a different port than the default (8000), change the values as necessary.

Log in

If you're using the free license, there will be no logon page; otherwise, login with the default username ("admin") and password ("changeme").