Splunk Enterprise 6.

0
Installation Manual
Generated: 11/05/2013 12:28 pm

Copyright (c) 2013 Splunk Inc. All Rights Reserved

Table of Contents
Welcome to the Splunk Enterprise Installation Manual...................................1 What's in this manual................................................................................1 Plan your Splunk Enterprise installation...........................................................2 Installation overview..................................................................................2 System requirements.................................................................................3 Components of a Splunk deployment.....................................................10 Estimate your storage requirements.......................................................11 Splunk architecture and processes.........................................................13 Information on Windows third-party binaries distributed with Splunk......16 Step-by-step installation instructions .......................................................19 Secure your Splunk installation...............................................................19 Estimate hardware requirements.....................................................................20 Hardware capacity planning for your Splunk deployment........................20 How incoming data affects Splunk performance.....................................22 How indexed data impacts Splunk performance.....................................23 How the number of concurrent users impacts Splunk performance.......23 How saved searches affect Splunk performance....................................24 How search types impact Splunk performance.......................................24 How Splunk apps affect Splunk performance.........................................26 How Splunk calculates disk storage ........................................................26 Reference hardware ................................................................................27 Performance questionnaire.....................................................................29 Summary of performance recommendations..........................................32 Install Splunk Enterprise on Windows .............................................................34 Choose the Windows user Splunk should run as .....................................34 Prepare your Windows network for a Splunk installation as a network or domain user.........................................................................................38 Install on Windows..................................................................................46 Install on Windows via the command line...............................................50 Correct the user selected during Windows installation............................58 Install Splunk Enterprise on Unix, Linux or Mac OS X...................................60 Install on Linux........................................................................................60 Install on Solaris......................................................................................63 Install on Mac OS....................................................................................67 Install on FreeBSD..................................................................................71
i

Table of Contents
Install Splunk Enterprise on Unix, Linux or Mac OS X Install on AIX...........................................................................................75 Install on HP-UX ......................................................................................77 Run Splunk as a different or non-root user.............................................79 Start using Splunk Enterprise..........................................................................82 Start Splunk for the first time...................................................................82 What happens next?................................................................................84 Learn about Splunk's accessibility..........................................................85 Install a Splunk Enterprise license ...................................................................87 About Splunk licenses.............................................................................87 Install a license ........................................................................................87 Upgrade or migrate Splunk Enterprise............................................................90 How to upgrade Splunk...........................................................................90 About Upgrading to 6.0 - READ THIS FIRST.........................................92 How Splunk Web procedures have changed from version 5 to version 6 .................................................................................................101 Changes for Splunk App developers .....................................................102 Upgrade to 6.0 on UNIX........................................................................107 Upgrade to 6.0 on Windows..................................................................110 Migrate a Splunk instance.....................................................................112 Migrate to the new Splunk licenser.......................................................117 Uninstall Splunk Enterprise............................................................................120 Uninstall Splunk....................................................................................120 Reference ..........................................................................................................124 PGP Public Key .....................................................................................124

ii

Note: If you want to install the Splunk universal forwarder. which are full Splunk Enterprise instances with some features changed or disabled. A PDF version of the manual is generated on the fly for you. For an introduction to forwarders. click the red Download as PDF link below the table of contents on the left side of this page. see "About forwarding and receiving".Welcome to the Splunk Enterprise Installation Manual What's in this manual Use the Installation Manual to learn how to install Splunk Enterprise.. Unlike Splunk heavy and light forwarders. you can visit the Splunk Community Wiki to see how other users Splunk IT. Find what you need You can use the table of contents to the left of this panel.. you can find: • System requirements • Licensing information • Procedures for installing • Procedures for upgrading from a previous version . read "Universal forwarder deployment overview" in the Forwarding Data Manual. In this manual. and you can save it or print it out to read later.and more. If you're interested in more specific scenarios and best practices. the universal forwarder is an entirely separate executable. with its own set of installation procedures. or simply search for what you want in the search box in the upper right. Make a PDF If you'd like a PDF of any version of this manual. 1 .

review "Hardware capacity planning for your Splunk deployment" in this manual for insight into the amount of hardware a Splunk deployment requires. and how you plan to use Splunk. We strongly suggest that you read this topic and the contents of this chapter first before performing an installation. If this is the first time you have installed Splunk. you can calculate how much space you need to index your data. Review the system requirements for installation. 2 .Plan your Splunk Enterprise installation Installation overview This topic discusses the basic steps required to install Splunk on a computer. and "Splunk architecture and processes" to learn what the Splunk installer puts on your computer. If you plan to run Splunk in a production environment. Perform the installation using the step-by-step installation instructions for your operating system. 2. Installation basics The following list provides general guidance on how to install Splunk: 1. Read "Components of a Splunk deployment" to learn about Splunk's ecosystem. Specific additional requirements might apply based on the operating system you install Splunk on. 5. 3. After you've installed Splunk. 4. Download the correct installation package for your system from the Splunk download page. 6. you might want to consider reading the Splunk Search Tutorial to learn how to index data into Splunk and search that data using Splunk's search language. 7. Read "Estimate your storage requirements" for additional information.

read "Migrate a Splunk instance" in this manual. You can also review our product road map. System requirements Before you download and install the Splunk software. If you want to know how to migrate a Splunk instance from one system to another. Supported OSes Important: Read the following tables carefully when researching the system requirements. Find the operating system you wish to install Splunk on in the left column. Then. Splunk availability has changed significantly from previous versions. and Splunk Universal Forwarder. read "How to upgrade Splunk" in this manual for information and specific instructions. For a discussion of hardware planning for deployment. as shown in the two columns on the right: Splunk Enterprise/Trial. If you have ideas or requests for new features to add to future releases. Refer to the download page for the latest version to download. An empty box 3 . To find out whether or not Splunk is available for your platform: 1. read this topic to learn which computing environments Splunk supports. The tables show availability for two different types of Splunk. The tables below list the computing platforms that Splunk is available for. An 'x' in the box that intersects your computing platform and desired Splunk type means that Splunk is available for that platform. 2. get in touch with Splunk Support. review "Hardware capacity planning for your Splunk deployment" in this manual.Upgrading or migrating a Splunk instance? If you're upgrading from an earlier version of Splunk. Check the release notes for details on known and resolved issues. read across to find the appropriate computing architecture in the center column that best matches your environment.

7 and 10.1 HP/UX? 11i v2 and 11i v3 x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) PowerPC x86 (64-bit) x86 (32-bit) Intel PowerPC PowerPC Itanium x x x x x x x x x x* x x* Enterprise / Trial Universal Forwarder x x x* x* x x* x x x x x x x x x x x x PA-RISC x * Solaris 8 does not support 64-bit Splunk installs. Unix operating systems Operating system Architecture x86 (64-bit) Solaris 8* and 9 SPARC x86 (32-bit) Solaris 10 and 11* x86 (64-bit) SPARC x86 (32-bit) Linux.an 'x'.4+ with x86 (64-bit) Native POSIX Thread Library x86 (32-bit) Linux.0+ PowerLinux. Some boxes have characters in addition to .3 AIX 6. Solaris 11 does not support 32-bit Splunk installs.6+ Linux. 2. 2. Refer to the bottom of the tables to find out what the additional characters represent. 4 . Also.6+ FreeBSD 7** and 8 Mac OS X 10. 2. ** Be sure to read important notes on FreeBSD 7 below.means that Splunk is not available for that platform.8 AIX 5. 3.1 and 7.or instead of .

Operating system Architecture Enterprise / Trial x x*** x x*** x Universal Forwarder x x*** x x*** x x x*** ¶ ¶ x x*** x x x*** x x*** x Windows Server x86 (64-bit) 2003 and Server x86 (32-bit) 2003 R2 Windows Server x86 (64-bit) 2008 and Server x86 (32-bit) 2008 R2 Windows Server x86 (64-bit) 2012 Windows XP Windows Vista Windows 7 Windows 8 x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) x x *** This version of Splunk is supported but is not recommended on this platform and architecture. Windows operating systems The table below lists the Windows computing platforms that Splunk is available for. Operating system notes and additional information Windows Certain parts of Splunk on Windows require elevated user permissions to function properly.? You must use gnu tar to unpack the HP/UX installation archive. For additional information about what is required. ¶ Splunk Enterprise is not available on this platform. read the following topics: 5 . Splunk Trial and Splunk Universal Forwarder are available. However.

• "Splunk architecture and processes" in this manual. then you must ensure that the editor you are using is configured to save in ASCII/UTF-8.x To run Splunk 6.x on 32-bit FreeBSD 7. FreeBSD 7. Be sure to read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely. Deprecated operating systems and features As we continue to version the Splunk product. we gradually deprecate support of older operating systems. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding. • "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual. • "Choose the user Splunk should run as" in this manual. 8. For more information. Creating and editing configuration files on non-UTF-8 OSes Splunk expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. Splunk Support will supply "best effort" support for users running on FreeBSD 7. and 10 6 . 9. install the compat6x libraries. Supported browsers Splunk supports the following browsers: • Firefox 10. refer to "Install Splunk on FreeBSD 7" in the Community Wiki.x and latest • Internet Explorer 7. IPv6 platform support All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following: • AIX • HP/UX on PA-RISC architecture • Solaris 9 Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.x.x.

Splunk needs sustained access to a number of resources. particularly disk I/O. Recommended hardware Splunk is a high-performance application. Pentium 4 or equivalent at 2 GHz. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. 12 GB RAM. with a 64 bit OS installed. 2+ GHz CPU.4 GHz CPU.• Safari (latest) • Chrome (latest) You should also make sure you have the latest version of Adobe Flash installed to render any charts that use options not supported by the JSChart module. For a discussion of hardware planning for production deployment. For more information about this subject. 2x six-core. performance does degrade. Recommended and minimum hardware capacity Minimum supported hardware capacity Platform Recommended hardware capacity/configuration Non-Windows platforms Windows platforms 2x six-core. If you are performing a comprehensive evaluation of Splunk for production deployment. This hardware should meet or exceed the recommended hardware capacity specifications below. RAID 0 or 1+0. for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance. we recommend that you use hardware typical of your production environment. 7 . 2+ GHz CPU. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0. 1x1. see "Hardware capacity planning for your Splunk deployment" in this manual. 12 GB RAM. Splunk and virtual machines If you run Splunk in a virtual machine (VM) on any platform. with a 64 bit OS installed. Redundant Array of Independent Disks 1 GB RAM (RAID) 0 or 1+0. 2 GB RAM Note: RAID 0 configurations do not provide fault-tolerance. see "About JSChart" in the Splunk Data Visualizations Manual.

Your Splunk administrator should determine the correct level. 512 MB RAM Supported file systems Platform Linux Solaris FreeBSD AIX HP-UX File systems ext2/3/4. deployment clients. Hardware requirements for universal and light forwarders Recommended Dual-core 1. Important: For all installations. Splunk might run a startup utility named locktest to test the viability of a filesystem for running Splunk. Considerations regarding file descriptors (FDs) on *nix systems Splunk allocates file descriptors on *nix systems for actively monitored files. the default file descriptor limit (controlled by the ulimit command on a *nix-based OS) is 1024. NFS 3/4 Windows NTFS.0 Ghz processor. and so on. NFS 3/4. FAT32 Note: If you run Splunk on a filesystem that is not listed above. NFS 3/4 UFS. 1 GB+ RAM Minimum 1. NFS 3/4 VXFS. VXFS. reiser3.• All configurations other than universal and light forwarder instances require at least the recommended hardware configuration. then the filesystem is not suitable for running Splunk. ZFS JFS.5 GHz+ processor. it?s easy to see how a few hundred 8 . Locktest is a program that tests the start up process. including forwarders. NFS 3/4 Mac OS X HFS. Refer to "Estimate your storage requirements" in this manual for additional information. • The minimum supported hardware guidelines are designed for personal use of Splunk. forwarder connections. UFS. you must have a minimum of 5 GB of hard disk space available in addition to the space required for any indexes. The requirements for Splunk in a production environment are significantly higher. XFS. but it should be at least 8192. If locktest runs and fails. ZFS. Usually. JFS2. Even if Splunk allocates just a single file descriptor for each of the activities above. users running searches. NFS 3/4 FFS.

so you should increase the ulimit value if you start to see your instance run into problems with low FD limits. This consideration is not applicable to Windows-based systems.files being monitored. The more tasks your Splunk instance is doing. Doing so causes performance issues and can potentially lead to data loss.mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk. Considerations regarding Network File System (NFS) When choosing to use Network File System (NFS) as a storage medium for Splunk indexing. then you must provide Splunk a separate mount with attribute caching enabled. or with vendors that provide high-availability. read about ulimit in the Troubleshooting Manual. clustered network storage. note the following caveats: • Splunk does not support "soft" NFS mounts (mounts which cause a program attempting a file operation on the mount to report an error and continue in case of a failure). • Only "hard" NFS mounts . For more information. • Do not use NFS mounts over a wide area network (WAN). Splunk strongly recommends that you use block level storage rather than file level storage for indexing your data. • Do not disable attribute caching. NFS can be an appropriate choice. a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting. the more FDs it will need. a few hundred forwarders sending data. 9 . If you have other applications which require disabling or reducing attribute caching. In environments with reliable. customers who plan to choose this strategy should work closely with their hardware vendor to confirm that the storage platform they choose performs to the desired specification in terms of both performance and data integrity. If you choose to use NFS. However. it is important to consider all of the ramifications of file level storage. very high-bandwidth low-latency links.

monitor. The simplest deployment is the one you get by default when you install Splunk: indexing and searching on the same server. Data comes in from the sources you've configured. as well as Splunk Web.searches that request small sets of results over large swaths of data . you can also deploy components of Splunk on different servers to address your load and availability requirements. provide indexing capability for local and remote data and host the primary Splunk datastore. By using a single software component and easy to understand configurations. Components of a Splunk deployment Splunk is simple to deploy by design.when used in combination with bloom filters. Indexer Splunk indexers. "Scale your deployment: Splunk components". and report on your IT data. or index servers. Depending on your needs. alert. 10 . Search peers are also sometimes referred to as indexer nodes. See the download page for details. Supported server hardware architectures 32 and 64-bit architectures are supported for some platforms. see the Distributed Deployment manual. Refer to "How indexing works" in the Managing Indexers and Clusters manual for more information. For a more thorough introduction.Considerations regarding solid state drives Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches . particularly the topic. and you log into Splunk Web or the CLI on this same server to search. Search peer A search peer is an indexer that services requests from search heads in a distributed search deployment. They also deliver performance gains with concurrent searches overall. Splunk can coexist with existing infrastructure or be deployed as a universal platform for accessing IT data. This section introduces the types of components.

Search heads can be either dedicated or not. Forwarder Forwarders are Splunk instances that forward data to remote indexers for indexing and storage. In most cases. depending on whether they also perform indexing. Dedicated search heads don't have any indexes of their own (other than the usual internal indexes). See "What is distributed search" in the Distributed Search Manual to configure a search head to search across a pool of indexers. Instead. Refer to "About deployment server" in the Updating Splunk Instances manual for additional information about the deployment server. A deployment server distributes configuration information to running instances of Splunk via a push mechanism which is enabled through configuration. or search peers.Search head A search head is a Splunk instance configured to distribute searches to indexers. Deployment server Both indexers and forwarders can also act as deployment servers. Functions at a glance Functions Indexing Web Direct search Forward to indexer Deploy configurations x Indexer Search head Forwarder x x x x x x Deployment server Estimate your storage requirements 11 . Refer to the "About forwarding and receiving" topic in the Forwarding Data manual. they consolidate results that originate from remote search peers. they do not index data themselves.

Go to $SPLUNK_HOME/var/lib/splunk/defaultdb/db. and then checking the sizes of the resulting directories in defaultdb. 2.) With a little experimentation. Extract du. you can estimate how much index disk space you will need for a given amount of incoming data. The best way to get an idea of your space needs is to experiment by indexing a representative sample of your data. pre-indexed raw data. Open a command prompt. Note: You can also place it anywhere in your %PATH%. Depending on the data's characteristics. (It also creates a few metadata files. 5. Run del %TEMP%\du.txt. On *nix systems. Run du -ch hot_v* and look at the last total line to see the size of the index. follow these steps Once you've indexed your data sample: 1.exe from the downloaded ZIP file and place it into your %SYSTEMROOT% folder. you might want to tune your segmentation settings. 4. the compressed rawdata file is approximately 10% the size of the incoming. Download the du utility from Microsoft TechNet. it creates two main types of files: the "rawdata" file that contains the original data in compressed form and the index files that point to this data. Once there. On Windows systems. as described in "About segmentation" in the Getting Data In Manual.txt & for /d %i in (hot_v*) do du -q -u %i\rawdata | findstr /b "Size:" >> %TEMP%\du. This value is affected strongly by the number of unique terms in the data. When Splunk indexes your data.This topic describes how to estimate the size of your Splunk index. so that you can plan your storage capacity requirements. 12 . The associated index files range in size from approximately 10% to 110% of the rawdata file. which don't consume much space. 2. 3. go to %SPLUNK_HOME%\var\lib\splunk\defaultdb\db. Typically. follow these steps 1.

the summary of which is the size of the index. Next. splunkd and splunkweb: • splunkd is a distributed C/C++ server that accesses. If you're looking for information about third-party components used in Splunk. It also handles search requests. Pipelines can pass data to one another via queues. Answers Have questions? Visit Splunk Answers to see what questions and answers other Splunk users had about data sizing. reusable C or C++ functions that act on the stream of IT data passing through a pipeline. processes and indexes streaming IT data. splunkd supports a command line interface for searching and viewing results. refer to the credits section in the Release notes. Add these numbers together to find out how large the compressed persisted raw data is. You will see Size: n.6. Splunk architecture and processes This topic discusses Splunk's internal architecture and processes at a high level. Add this number to the total persistent raw data number. Open the %TEMP%\du. Processes A Splunk server runs two processes (installed as services on Windows systems) on your host. run for /d %i in (hot_v*) do dir /s %i. You can now use this to extrapolate the size requirements of your Splunk index and rawdata directories over time. 9. splunkd processes and indexes your data by streaming it through a series of pipelines.txt file. ♦ Pipelines are single threads inside the splunkd process. ♦ Processors are individual. each made up of a series of processors. This is the total size of the index and associated data for the sample you have indexed. 13 . each configured with a single snippet of XML. 8. 7. which is the size of each rawdata directory found.

the splunkweb. similar to the *nix splunk program. Splunk does not alert you to the fact that its services are not running. • splunkweb runs a Web server on port 8000 without SSL/HTTPS by default. This is not an issue if you install Splunk as the Local System 14 .exe is a third-party. and configure Splunk. Additional processes for Splunk on Windows On Windows instances of Splunk. Splunk might not function correctly if this executable is not given the appropriate permissions on your Windows system. if you attempt to start Splunk from the Start Menu while in Safe Mode. nor the SplunkForwarder services starts if Windows is in Safe Mode. and allows you to start. Since it is a renamed file. Read information on other Windows third-party binaries distributed with Splunk. and splunkd can both communicate with your Web browser via REpresentational State Transfer (REST): splunkweb • splunkd also runs a Web server on port 8089 with SSL/HTTPS turned on by default.exe is the control application for the Windows version of Splunk. stop. Splunk and Windows in Safe Mode Neither the splunkd. splunk.• splunkweb is a Python-based application server based on CherryPy that provides the Splunk Web user interface. These scripted inputs run when configured by certain types of Windows-specific data input. in addition to the two services described above. It provides the command line interface (CLI) for the program. Additionally.exe Important: splunk. splunk.exe.exe requires an elevated context to run because of how it controls the splunkd and splunkweb processes. there are additional processes that Splunk uses when you create specific data inputs on a Splunk instance. On Windows systems. it does not contain the same file version information as other Splunk for Windows binaries. It allows users to search and navigate data stored by Splunk servers and to manage your Splunk deployment through a Web interface. splunkweb. open-source executable that Splunk renames from pythonservice.

splunk-winhostmon (new for version 6. splunk-admon's purpose is to attach to the nearest available AD domain controller and gather change events generated by AD. splunk-admon. Those changes come back into Splunk as searchable events. Splunk has a Windows event log input processor built into the engine. Splunk then stores these events in the desired index. splunk-perfmon.exe splunk-perfmon runs when you configure Splunk to monitor performance data on the local machine. which query the performance libraries on the system and extract performance metrics both instantaneously and over time.exe splunk-winevtlog You can use this utility to test defined event log collections. splunk-winhostmon 15 . splunk-netmon splunk-regmon runs when you configure a Registry monitoring input in Splunk. splunk-admon is spawned by splunkd whenever you configure an Active Directory (AD) monitoring input. then monitors changes to the Registry over time. This scripted input initially writes a baseline for the Registry as it currently exists (if desired). and it outputs events as they are collected for investigation.exe splunk-netmon (new for version 6.user.0) runs when you configure a Windows host monitoring input in Splunk. This scripted input gets detailed information about Windows hosts.0) runs when you configure Splunk to monitor Windows network information on the local machine. This service attaches to the Performance Data Helper libraries. splunk-regmon.

event log or other input against a remote computer. this program starts up. Except where indicated. This scripted input gets detailed information about Windows printers and print jobs on the local system. For more information about Splunk's universal forwarder. Architecture diagram Information on Windows third-party binaries distributed with Splunk This topic provides additional information on the third-party Windows binaries that the Splunk Enterprise and the Splunk universal forwarder packages include. Splunk then stores the events. Depending on how you configure the input. read "Deploy the universal forwarder" in the Forwarding Data Manual.0) runs when you configure a Windows print monitoring input in Splunk. Third-party Windows binaries included with Splunk The following third-party Windows binaries ship with the Splunk product. or it executes a Windows Query Language (WQL) query against the Windows Management Instrumentation (WMI) provider on the specified remote machine(s). splunk-winprintmon splunk-wmi When you configure a performance monitoring. 16 . only the Splunk Enterprise product includes these binaries. either it attempts to attach to and read Windows event logs as they come over the wire.splunk-winprintmon (new for version 6.

Jsmin. Both Splunk Enterprise and the Splunk universal forwarder include this binary. 17 .such as those you download from the Internet in the course of extending Splunk's capabilities . Additionally. It typically compresses files to within 10% to 15% of the best available techniques (the PPM family of statistical compressors). Any other binaries. Both Splunk Enterprise and the Splunk universal forwarder include this binary.exe Jsmin. whilst being around twice as fast at compression and six times faster at decompression.exe Bzip2 is a freely available.have not been tested for this compliance. Note: Only the third party binaries.dll is the Extensible Markup Language (XML) C parser and toolkit developed for the GNOME project (but usable outside of the GNOME platform). reducing their size. apps and scripts that ship with Splunk have been tested for Certified for Windows Server 2008 R2 (CFW2008R2) Windows Logo compliance. Libxml2. Splunk does not provide support for debug symbols related to third-party modules.These binaries provide functionality to Splunk as shown in their individual descriptions.dll Libarchive.dll Libxml2. or scripts . high-quality data compressor. Bzip2.exe is an executable that removes whitespace and comments from JavaScript files.dll Libexslt. Libexslt. None of them contains file version information or authenticode signatures (certificates which prove the binary file's authenticity). apps. Archive. patent-free (see below).dll is the Extensions to Extensible Stylesheet Language Transformation (EXSLT) dynamic link C library developed for libxslt (a part of the GNOME project).dll is a multi-format archive and compression library.

Pythoncom. Minigzip.dll is the XML Stylesheet Language for Transformations (XSLT) dynamic link C library developed for the GNOME project.exe Minigzip.exe is the minimal implementation of the ?gzip? compression tool. Both Splunk Enterprise and the Splunk universal forwarder include this binary. commercial-grade. It also implements most of the EXSLT set of processor-portable extensions functions and some of Saxon's evaluate and expressions extensions. Pywintypes27.7.dll is a module that encapsulates the Object Linking and Embedding (OLE) automation API for Python.dll Libxslt. full-featured.exe Python. Both Splunk Enterprise and the Splunk universal forwarder include this binary.Both Splunk Enterprise and the Splunk universal forwarder include this binary. XSLT itself is an XML language to define transformation for XML.dll Pythoncom.dll is a module that encapsulates Windows types for Python version 2. Libxslt is based on libxml2 the XML C library developed for the GNOME project.exe is the Python programming language binary for Windows. and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Openssl.dll Pywintypes27. Libxslt.exe The OpenSSL Project is a collaborative effort to develop a robust. Python. 18 .

• Audit and monitor your system regularly.Step-by-step installation instructions Now that you've learned what Splunk is and what is needed to install it. you can get detailed installation procedures for your operating system: • Windows • Windows (from the command line) • Linux • Solaris • Mac OS X • FreeBSD • AIX • HP-UX Secure your Splunk installation As soon as you set up and begin using your new Splunk installation or upgrade. The Securing Splunk manual provides information about the many ways you can or should secure Splunk. • Lock down your network access and configuration. • Configure secure authentication. Taking the proper steps to secure Splunk reduces its attack surface and mitigates the risk and impact of most vulnerabilities. review the hardening standards in the Securing Splunk manual. We offer plenty of ways to monitor and audit your systems. You can easily set your passwords across all servers to lock down your system. you should perform a few additional steps to ensure that Splunk and your data are secure. We provide guidelines and further instructions for adding SSL encryption and authentication to your configuration. 19 . For a checklist of things you should do to harden your Splunk configuration. • Use Access Control Lists (ACLs) to restrict the IPs that access parts of your networks. Take a few steps to make your Splunk physically and virtually more secure. Some key actions you should take after installation: • Modify your default passwords.

The more data you send to Splunk. There are scenarios where you must consider adding infrastructure to your Splunk deployment for maximum efficiency and performance. 2. 20 . report and generate alerts on. a single indexer can handle the load of both searching and indexing. Below is a list of things that significantly impact Splunk's performance: 1. This chapter discusses high level hardware guidance for Splunk deployments and describes how Splunk uses hardware resources in various situations." 3. Finally. 2. Taking advantage of that flexibility requires careful planning. The amount of indexed data. learn about the type of hardware that comprises a "single indexer" by reading "Reference hardware. Before deciding on your hardware outlay for Splunk: 1. As the amount of data stored in Splunk's index goes up. read the remaining topics in this chapter to learn how Splunk operations impact performance and how to maximize that performance. Dimensions of a Splunk deployment In some cases. the server that indexes that data requires additional bandwidth both to store the data and provide results for searches.Estimate hardware requirements Hardware capacity planning for your Splunk deployment Splunk is a flexible product that meets almost any scale and redundancy requirement in the course of its operation. Be sure to review "Components of a Splunk Deployment" in this manual for a description of all of the elements of a Splunk installation. the more time Splunk needs to index it into results that you can search. The amount of incoming data. Next.

as some are bound by available CPU resources. read "Hardware capacity planning for a distributed Splunk deployment" to learn how to properly size your environment for an app's increased resource requirements. If you plan on running apps. Splunk needs capacity to perform those searches promptly and efficiently. it has significantly different resource needs than a setup with a low number of concurrent users and a high amount of daily indexing volume. The number of saved searches.3. The types of search you employ. The number of concurrent users. as both user count and amount of indexed data rise. Search types complicate matters further. Whether or not you run Splunk apps. How do these dimensions impact overall performance? Follow the links above to determine how each of the dimensions impacts performance on a reference indexer. Additionally. If you plan on running a lot of saved searches. and others are bound by the speed of the disk subsystem. the more resources are required. 5. 6. If more than one person at a time uses an instance of Splunk. There are several different types of search. For example. and configuration considerations. that instance requires more resources for those users to do searches and create reports and dashboards. deployment. 4. The more saved searches you run in a given period of time. each of which affects how the indexer responds to search requests. You must discover how these factors correlate with one another in your specific application in order to realize maximum performance. Additionally. Refer to the installation and deployment section of your app or solution's documentation for additional information. 21 . you must distribute the environment across multiple servers to maintain a similar performance level. Splunk apps and solutions can have unique performance. if your Splunk deployment calls for a low amount of indexing but has a high number of concurrent users. it's important to understand that addressing each of them individually does not guarantee peak efficiency for your Splunk deployment. While these factors impact the basic sizing requirements of your Splunk deployment on the whole. make sure you consider the resource requirements of the app(s) you are using. Almost as important as the number of saved searches is the types of search that you run against a Splunk system.

the indexer uses more system memory to process and index them. A reference Splunk indexer can index a significant amount of data in a short period of time . Larger events slow down indexing performance.up to 5. then refer to the performance questionnaire later in this chapter to help ascertain when you should add more hardware resources: • How much data do you expect to index daily? • How much data do you need to retain? • How many users do you expect to search through the data at any one time? • Do you plan to use certain specific searches more than once? • Do you want or need to use a Splunk app to present or manipulate your data? The key to a well-performing installation is to develop a plan early in the deployment cycle to account for both your initial outlay of hardware resources. This is if the server is doing nothing else but consuming data. Ask yourself these questions. as well as the addition of resources when the deployment scales up. Performance changes depending on the size and amount of incoming data.or 500 GB per day.8 MB of data per second . If you need more indexing capacity than a single indexer can provide. You can read about capacity planning for a distributed deployment at "Hardware capacity planning for a distributed Splunk deployment" in the Distributed Deployment Manual. 22 . you must add indexers into the deployment to account for the increased demand. How incoming data affects Splunk performance This topic discusses how incoming data impacts Splunk indexing performance. As events increase in size.When should I scale my Splunk deployment? To best answer this question you must understand how the above Splunk deployment dimensions apply to your specific use case.

How the number of concurrent users impacts Splunk performance This topic discusses how the number of concurrent users impacts Splunk's performance on a single indexer. for as long as the search is active. those kinds of requests can be very I/O-intensive. disk throughput splits between indexing (which is ongoing) and search requests (which are interrupts based on requests scheduled by users. only additional indexers can increase capacity for all three functions of Splunk operation. This CPU core only handles the actual session itself. search. then the load splits across other available CPUs. If they're processing any other system requests. taking up disk space. or CPU cores used by Splunk to index data. On a single indexer. This impacts search as well. When a user starts searching. 23 .How indexed data impacts Splunk performance This topic discusses how data that has already been consumed by Splunk affects Splunk performance. each search request takes up an additional CPU core. These figures assume that CPUs are idle when they receive a login or search request. Once Splunk consumes data and places it into indexes. Splunk takes more time to index incoming data because the indexer's disk subsystem takes more time to find space to store the data. and handling on-line users. Depending on the type of search. search slows down because not only does the disk subsystem need to account for search requests. all activities on an indexer slow down as the computer splits processing time between indexing. those indexes grow.) As indexes grow. A reference Splunk indexer needs to dedicate one of its available CPU cores for every user that logs into the system. it also needs to handle increasingly longer requests to store incoming data. At that point. As CPU cores get used up. As the indexes grow and available disk space decreases. This does not account for other system requests.

A reference indexer should be able to fetch up to 5. It also increases the amount of disk I/O temporarily as the disk subsystem looks through the indexes to fetch the desired data. A dense search is a search that returns a large percentage (10% or more) of matching results for a given set of data in a given period of time. Dense searches usually tax a server's CPU first. because of the overhead required to decompress the raw data stored in a Splunk index. search results return more slowly. How search types impact Splunk performance This topic discusses how the different types of search impact Splunk's overall performance on a single reference indexer. On a reference Splunk indexer. they will queue. This consumption is separate from CPU usage from the operating system and Splunk indexing and storage processes. Splunk also warns you when the system reaches the maximum number of saved searches.000 matching events per second for a dense search. When searches queue.How saved searches affect Splunk performance This topic discusses how the number of saved searches . Sparse searches return smaller numbers of results for a given set of data in a given period of time (anywhere from . Each additional saved search that executes at the same time consumes an additional CPU core. There are four basic types of search that you can invoke against data stored in a Splunk index.01 to 1%) than dense searches do. Adding indexers and search heads provides additional CPU cores to run more concurrent searches. If more saved searches execute than can be accepted for processing. Sparse. Adding RAM to your existing machines helps with concurrent searches but does not give you additional search capacity. A reference server should be able to fetch up to 50. The search types are: Dense.searches that you save to use again at a later time .000 matching events per 24 . Each of these search types impacts the Splunk indexer in a different way. a saved search consumes about 1 CPU core and a specified amount of memory while it executes.affect Splunk performance.

Rare. Splunk measures performance based on number of matching events.second when executing a sparse search. Super-sparse. Sparse searches return a smaller amount of results for a given set of data in a given period of time than dense searches do. and a super-sparse search can take a very long time to complete. If you have a large amount of data stored on your indexer. Rare searches are like super-sparse searches in that they match just a handful of results across a number of index buckets. This can take up to two seconds per searched bucket. This allows a rare search to complete anywhere from 20 to 100 times faster than a super-sparse search. while with super-sparse and rare searches. indexer throughput Up to 50. A super-sparse search is very I/O intensive because the indexer must look through all of the buckets of an index to find the desired results.significantly reduce the number of buckets that need to be searched by eliminating those buckets which do not contain events that match the search request. performance is measured based on total indexed volume. Note that for dense and sparse searches.000 matching events per second Performance impact Generally CPU-bound Dense Sparse Generally CPU-bound Super-sparse Super-sparse searches return a Up to 2 very small number of results seconds per from each index bucket which index bucket match the search.000 matching events per second Up to 5. Search type Description Dense searches return a large percentage of results for a given set of data in a given period of time.data structures that test whether or not an element is a member of a set . Depending 25 Primarily I/O bound . Ref. Summary The following table summarizes the different search types. for the same amount of data searched. The major difference with rare searches is that bloom filters . A super-sparse search is a "needle in the haystack" search that retrieves only a very small number of results across the same set of data within the same time period as the other searches. there are a lot of buckets.

Splunk calculates total disk storage as follows: ( Daily average indexing rate ) x ( retention policy ) x 1/2 If you want to base your calculation on the specific type(s) of data that Splunk will index. 26 . Rare searches are similar to super-sparse searches.the more things an app does. Rare searches return per second results anywhere from 20 to 100 times faster than a super-sparse search does. Rare How Splunk apps affect Splunk performance This topic discusses how Splunk apps impact overall Splunk performance on a single reference indexer. the more likely you must distribute it across multiple machines. Splunk apps often need more than one server to realize both maximum performance and potential in the enterprise. At a high level. How Splunk calculates disk storage This topic discusses how Splunk calculates disk storage. but are assisted by bloom filters which From 10 to 50 help eliminate index buckets Primarily I/O index buckets that do not match the search bound request. dashboards. you can use the method described in "Estimate your storage requirements" in this manual. these types of search can take a long period of time.Splunk actually runs several included with the product . or many indexers and search heads connected together and serving up reports. Whether it's a case of universal forwarders fetching data and sending it to a single central instance. While many apps can run on a single indexer . Many apps require a distributed Splunk deployment by design.on how large the set of data is. or alerts.

Important: Shares mounted over a Wide Area Network (WAN) connection or on standby storage such as tape are never suitable storage choices for Splunk operations. The reference machine described below produces the following index and search performance metrics for a given sample of data: Indexing performance • Up to 5. provided no other Splunk activity is occurring.000 events per second for sparse searches • Up to 2 seconds per index bucket for super-sparse searches • From 10 to 50 buckets per second for rare searches with bloom filters To find out more about the types of searches and how they affect Splunk performance. this means you can store nearly 6 months' worth of data at an indexing rate of 5 GB/day.8 megabytes per second (500 GB per day) of raw indexing performance. a reference machine helps you understand when it is time to scale and distribute the deployment. you can opt for either more local disks (required for frequent searching) or attached or network storage (acceptable for occasional searching).Splunk stores raw data at up to approximately half its original size due to compression. If you need additional storage. read "How search types affect Splunk performance" in this manual. 27 . Search performance • Up to 50.000 events per second for dense searches • Up to 5. Following is an example of such a machine. Reference hardware When sizing your Splunk environment's hardware needs. Low-latency connections over NFS or SMB/CIFS (Server Message Block/Common Internet File System) are acceptable for searches over long time periods where instant search returns can be compromised to lower cost per GB. On a volume that contains 500 GB of usable disk space. Refer to this configuration as the standard for the remainder of this chapter. or 10 days' worth at a rate of 100 GB/day.

The more average IOPS a hard drive can produce.ORG (A sysadmin blog). Since a hard drive reads and writes at different speeds. • "Analyzing I/O performance in Linux (http://www. 6 cores per CPU (12 cores total). review the following articles: • "Getting the hang of IOPS (http://www.Bare-metal hardware • Intel x86 64-bit chip architecture • 2 CPUs. at least 2 Ghz per core • 12 GB RAM • Standard 1 Gb Ethernet NIC.symantec.com/connect/articles/getting-hang-iops-v13) on Symantec's Connect Community. there are IOPS numbers for disk reads and writes. always choose those drives that have high rotational speeds and low average latency and seek times. the more data it can index and search in a given period of time. Every drive manufacturer provides this information (and some provide much more). For additional information on IOPS and how to calculate them. optional 2nd NIC for a management network • Standard 64-bit Linux or Windows distribution Disk subsystem The reference computer's disk subsystem should be capable of handling a high number of averaged Input/Output Operations Per Second (IOPS).org/2010/04/22/analyzing-io-performance-in-linux) on CMDLN. the three most important elements are: • its rotational speed (in revolutions per minute) • its average latency (the amount of time it takes to spin its platters half a rotation) • its average seek time (the amount of time it takes to retrieve a requested block of data. IOPS are a measurement of how much data throughput a hard drive can produce.) To get the most IOPS out of a hard drive.cmdln. While many variable items factor into the amount of IOPS that a hard drive can produce. 28 . The average IOPS is the blend between those two figures.

For this application.results return anywhere from 15 to 20 percent slower than on a physical machine. Using that benchmark as a baseline again. The combined array produces a little over 800 IOPS. This is a best-case scenario that does not account for resource contention with other active VMs on the same physical server. In addition to the security concerns of running Splunk in a public cloud. Virtual hardware Splunk performs fastest when deployed directly on to bare-metal hardware. Splunk indexing performance on a cloud-based computer is roughly half that of a real one. Searching suffers. 29 . there are various concerns that you must be aware of when doing so. we fully support deploying Splunk on virtual hardware. Using the bare metal hardware as a baseline. so always consider disk infrastructure first when specifying your hardware. Splunk can and does deliver on virtual equipment.000 RPM serial-attached SCSI (SAS) HDs in a Redundant Array of Independent Disks (RAID) 1+0 fault tolerance scheme as the disk subsystem. Important: Splunk is often constrained by disk I/O first. However. Search performance is on par with the real-world hardware. we use eight 146-gigabyte. It also does not take into account certain vendor-specific I/O enhancement techniques (such as Direct I/O or Raw Device Mapping). you must also note that performance degrades significantly compared to bare-metal hardware. Performance questionnaire Overview This topic helps you make the choice on whether or not to distribute your Splunk deployment. 15. Splunk in the cloud While you can run Splunk in the cloud. as described above. Splunk generally indexes data about 30% slower on a virtual machine (VM) than it does on a standard reference machine. Each hard drive is capable of about 200 average IOPS. What's more. too .

you might have to distribute your deployment based on the types of searches you employ.This questionnaire is for a single-server Splunk deployment based on the reference architecture described in "Reference hardware. if you answered "YES" then you should scale your Splunk deployment to multiple machines. If you answered "YES" to either question then proceed to Question 4. Even if your indexing amount and user count falls within the capabilities of a single server. and whether or not you use summary indexes. Depending on how much data you index and how many concurrent users you require. If you answered "NO" to this question. or you create elements that generate a large number of saved searches. The number of saved searches . Question 2: Do you need to index more than 2 GB of data per day? Question 3: Do you need more than 2 users signed in at one time? If the answer to both questions is "NO" then your Splunk instance can safely share one of the reference servers with other services. then proceed to Question 2. If you want to run a Splunk app or solution in your Splunk environment. you might need to scale your environment to multiple machines." Determine when to scale your Splunk deployment Before you consider whether or not to scale. with the caveat that Splunk must have sufficient disk I/O bandwidth on the shared machine. and whether or not you need more than one concurrent Splunk user to search that data. You don't need to consider scaling your Splunk deployment to multiple machines just yet. alert or solution that executes a large number of saved searches (more than 8 concurrently)? A saved search is a search that a user saves to make available for later use. Question 1: Do you want to create or run a Splunk app. estimate how much data you need to index. Review detailed information on hardware capacity planning for distributed Splunk deployments in "Hardware capacity planning for a distributed Splunk Deployment" in the Distributed Deployment Manual.especially those run concurrently . However. 30 .directly impacts a Splunk server's performance. you might have to distribute Splunk components across a number of machines.

This is because those services are often very disk I/O intensive. Question 6: Do you need more than 500GB of total storage? Read "How Splunk calculates disk storage" to learn how Splunk calculates disk storage. Read the following section to determine how Splunk calculates storage. Active Directory domain services. you must ensure that any anti-virus software installed on the server does not scan the Splunk installation directory. If the answer to this question is "YES" then you should definitely consider scaling your deployment up. Additionally. and can dramatically reduce indexing and search performance. 31 . However. adding additional indexers does improve both indexing and search performance. If the answer to this question is "NO" then a single dedicated reference Splunk server should be able to handle your workload.Note: If you are deploying Splunk on Windows. Question 4: Do you need to index more than 100 GB per day? Question 5: Do you need more than 4 concurrent users? If the answer to both questions is "NO" then a single dedicated Splunk server of our reference architecture should be able to handle your workload. or machine virtualization software. you must not share full Splunk services on servers that run Microsoft Exchange. If the answer to this question is "YES" then you should consider scaling your deployment to additional indexers to cope with the increased demand of indexing and searching. These searches require lots of disk I/O because the indexer must search a number of buckets to find the data you're looking for. Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results? Searches that cover large quantities of data and return small sets of results are known as super-sparse searches. If the answer to this question is "NO" then you probably do not need to scale your deployment. but you might need to add fast storage to the system to account for the increased space usage.

the reference hardware is: • Intel x86 64-bit chip architecture • 2 CPUs. dedicated 2 Recommended Search Heads N/A N/A 1 100 GB/day to up to 8 200 GB/day 32 . then you should scale your deployment as described in "Hardware capacity planning for a distributed Splunk deployment" in the Distributed Deployment Manual. shared 1. If a server is performing both actions at the same time. depending on the number of concurrent users and amounts of data that the instance indexes. Daily Indexing Volume < 2 GB/day 2 GB/day to 100 GB/day Number of Concurrent Search Users <2 up to 4 Recommended Indexers 1. contact Splunk. 6 cores per CPU (12 cores total). read "Reference hardware" in this manual. The table below shows the amount of reference servers that are required to index and search data in Splunk. or need more concurrent users than this table shows. As a reminder. The figures shown here are approximate guidelines only. at least 2 Ghz per core • 12 GB RAM • Disk subsystem capable of producing 800 IOPS • Standard 1Gb Ethernet NIC. have higher indexing volumes. such as either indexing or searching. If you run Splunk apps. If you need more guidance. Important: The figures shown in the table below only account for the reference server in question performing a single task. optional 2nd NIC for a management network • Standard 64-bit Linux or Windows distribution For additional information about the reference server.Summary of performance recommendations This topic summarizes the performance recommendations that were given in the performance questionnaire. employ multiple or I/O-heavy searches. performance can and does degrade depending on the amount of indexing and searching happening at the time.

or for additional concurrent users.Note: For indexing requirements greater than 100 GB per day. Answers Have questions? Visit Splunk Answers to see what questions and answers other Splunk users had about hardware and Splunk. 33 . review the hardware capacity requirements in the Distributed Deployment Manual.

A user other than Local System has access to whatever data you want it to. The Local System user has access to all data on the local machine. "Install on Windows via the command line. or as another existing user on your Windows computer or network. or you are not sure.this topic contains important information about the user you should install Splunk as.") If there is a possibility that you will need to access remote Windows data. it presents you with the option to select the user that Splunk should run as. The Splunk user you choose depends on what you want Splunk to monitor The user Splunk runs as determines what it can monitor. If you already know that the computer you're installing Splunk on will not access remote Windows data then you can proceed directly to "Install on Windows" in this manual (or. which you designate. This topic applies to all versions of Splunk. but nothing else. including Splunk Enterprise and the Splunk universal forwarder. then read on . Splunk strongly recommends you read this topic before installing in order to understand the ramifications of choosing the user type. When you run the Splunk Windows installer. but you must give the user that access prior to installing Splunk. It applies to installing Splunk on Windows only.Install Splunk Enterprise on Windows Choose the Windows user Splunk should run as This topic discusses the steps you should take to choose which Windows user Splunk should run as when you install Splunk on Windows. if you want to install using the command prompt. About the "Local System user" and "other user" choices The basics The Windows Splunk installer provides two ways to install Splunk: as the "Local System" user. 34 .

The Splunk user also has unique password constraints . at a minimum: • Be a member of the Active Directory domain or forest you wish to monitor (when using AD). Caution: If the Splunk user does not have these minimum requirements satisfied. In this case. or at all. you must consider these things: • Before the password expires. If you're not sure which user Splunk should run as. • Configure the account so that its password never expires. • Have specific user security rights assigned to it prior to installing Splunk.If you intend to do any of the following with Splunk. Splunk user accounts and password concerns Another important issue that arises when you install Splunk with a user account is that any active password enforcement policy controls the password's validity. then you must install Splunk as an "other user": • read Event Logs remotely • collect performance counters remotely • read network shares for log files • enumerate the Active Directory schema using Active Directory monitoring Note: This is not an all-inclusive list. • Be a member of the local Administrators group on the server you're installing Splunk on. even if Splunk installation succeeds. Splunk might not run correctly. Read "Minimum permissions requirements" later in this topic for specific information. • Use a managed service account (read "Use managed service accounts on Windows Server 2008 and Windows 7" later in this topic). 35 . then review "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual for additional information on how to configure the Splunk user with the access it needs. Splunk installation might fail.read "Splunk user accounts and password concerns" later in this topic for specifics. change it. The user that you specify must. and then restart Splunk. If your network enforces password changes. reconfigure Splunk services on every machine to use the changed password.

Windows Server 2008 R2.aspx) on MS Technet. • The MSA must be a local administrator on the machine that runs Splunk. • Administrators can delegate the administration of these accounts to non-administrators. and you do not have to manually set passwords or restart services associated with these accounts. passwords automatically change after they expire. To install Splunk using a MSA. and your AD domain has at least one Windows Server 2008 R2 or Server 2012 domain controller. or Windows 7 in Active Directory. This means that. as you would with a domain account. • Administrators no longer need to manage the credentials or administer the accounts. For information and instructions on how to do this. read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual. then there are a minimum number of permissions required on the server that runs Splunk. • You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. review "Service Accounts Step-by-Step Guide" (http://technet. The major benefits of using a MSA are: • Increased security from the isolation of accounts for services.Use managed service accounts on Windows Server 2008. Windows Server 2012. 36 .com/en-us/library/dd548356%28WS. Windows Server 2012 and Windows 7 If you run Windows Server 2008. Some important things to understand before installing Splunk with a MSA are: • The MSA requires the same permissions as a domain account on the machine that runs Splunk.microsoft. • You cannot use the same account on different computers. among other things. Security and remote access considerations Minimum permissions requirements If you choose to install Splunk as a domain user.10%29. you can install Splunk to run as a managed service account (MSA).

How to assign these permissions This section contains high-level concepts on how to assign the appropriate user rights and permissions to the Splunk service account before attempting to install. Required basic permissions for the splunkweb service • Full control over Splunk's installation directory Required Local/Domain Security Policy user rights assignments for the splunkweb service • Permission to log on as a service Note: Splunk does not require these permissions when it runs as the Local System account. or at all. Depending on the sources of data you want to monitor. splunkweb. the Splunk user might need a significant amount of additional permissions. or an installation which does not function correctly. and splunkforwarder services require when Splunk is installed using a domain user.The following is a list of the minimum user rights and permissions that the splunkd. Required basic permissions for the splunkd or splunkforwarder services • Full control over Splunk's installation directory • Read access to any flat files you want to index Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services • Permission to log on as a service • Permission to log on as a batch job • Permission to replace a process-level token • Permission to act as part of the operating system • Permission to bypass traverse checking Important: Failure to assign these permissions to the Splunk user prior to installation can result in a failed Splunk install. 37 . read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual. For step-by-step instructions.

consider using a tool such as Process Monitor or GPRESULT to troubleshoot GPO application in your environment. Once you've created and enabled the GPO. When setting user rights. The instructions shown here have been tested for Windows Server 2008 R2 and Windows Server 2012. you must also assign these rights within the GPO. the workstations and servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 1 1/2 to 2 hours) or at the next boot time. 38 . Important: Do not perform these instructions if you plan to install Splunk Enterprise or universal forwarder as the "Local System" user. depending on your usage and what data you want to access. Troubleshoot permissions issues The rights described above are the rights that the splunkd. many user rights assignments and other Group Policy restrictions can prevent Splunk from running. you can define a Group Policy object (GPO) with these specific rights. and splunkforwarder services specifically require. and you can't change this setting. Additionally. Read "Prepare your Active Directory to run Splunk services as a domain account" in this manual for specific instructions. splunkweb. Prepare your Windows network for a Splunk installation as a network or domain user The following procedures detail the steps you must take to prepare your Windows network to allow for Splunk installation as a network or domain user other than the "Local System" user.Use Group Policy to assign rights to multiple machines If you want to assign the policy settings shown above to a number of workstations and servers in your AD domain or forest. remember that rights assigned by a GPO override identical Local Security Policy rights on a machine. If you have issues. If you wish to retain previously existing rights that are explicitly defined through Local Security Policy on a machine. and deploy that GPO across the domain. Other rights might be needed. Alternatively. you can force AD replication using the GPUPDATE command line utility on the server on which you want to update Group Policy. and might differ slightly for other versions of Windows.

Once the program loads. 4. 39 . Prepare Active Directory for Splunk installation as a domain user The following instructions guide you through preparing your Active Directory to allow for installations of Splunk Enterprise or the Splunk universal forwarder as a domain account. 2. You might need to assign additional rights. This typically involves creating a specific Organizational Unit for groups within the organization. select New > Group. Run the Active Directory Users and Computers tool by selecting Start > Administrative Tools > Active Directory Users and Computers. in order for Splunk to access the data you want. These instructions assume the following: • You are running Active Directory. Create groups 1. Double-click an existing appropriate container folder to open it. Splunk recommends that you follow Microsoft's Best Practices (http://technet.Caution: These instructions require full administrative access to the computer and/or Active Directory domain you want to prepare for Splunk operations. Additionally. either within the Local Security Policy or Group Policy object (GPO). 3. select the domain that you want to prepare for Splunk operations. Do not attempt to perform this procedure without this access. • The computer(s) you plan to install Splunk on are members of the AD domain. • You are a domain administrator for the AD domain(s) you want to configure.microsoft. the rights you assign using these instructions are the minimum rights required for a successful Splunk installation. From the Action menu. or create a new Organization Unit by selecting New > Group from the Action menu.aspx) when creating users and groups. or to the user and group accounts you create.com/en-us/library/bb727085.

for example. Ensure that the Group scope is set to Domain Local. Define a Group Policy object (GPO) 1. Click OK to create the group. Once you have created the user account(s). select Domains. Ensure that the Group scope is set to Domain Local. Assign users and computers to groups If you have not already created the user account(s) that you want to use to run Splunk. Run the Group Policy Management Console (GPMC) tool by selecting Start > Administrative Tools > Group Policy Management. This group will contain computer accounts that get assigned the appropriate permissions to run Splunk as a domain user. 7. "Splunk Accounts". type in a name that represents Splunk user accounts. Click the Group Policy Objects folder. 5. type in a name that represents the fact that the GPO will assign user rights to the servers you apply it to. After you have done this. for example. In the Group Policy Objects in <your domain> folder. In the dialog that appears.5. and Group type is set to Security. Be sure to follow Microsoft's Best Practices for creating users and groups if you do not have your own internal policy. for example. right-click and select New from the menu that pops up. and Group type is set to Security." 40 . 3. In the New GPO dialog. add the account(s) to the Splunk Accounts group. you can exit Active Directory Users and Computers. 4. and add the computer accounts of the computers that will run Splunk to the Splunk Enabled Computers group. "Splunk Enabled Computers". 2. In the tree view pane on the left. "Splunk Access. Create a second group and specify a name that represents Splunk-enabled computers. now is a good time to do so. 6.

While still in the GPMC. b. In the Select Users. a. or Groups dialog that opens. Add rights to the GPO 1. click Browse? e. Repeat Steps 2a-2h for the following additional rights: • Bypass traverse checking • Log on as a batch job • Log on as a service • Replace a process-level token 41 . In the right pane. Click OK again to close the "Add User or Group" dialog. Click OK to close the "Select Users?" dialog. 2. Otherwise it tells you that it cannot find the object and prompts you for an object name again. Click OK to save the GPO. g. Service Accounts. type in the name of the "Splunk Accounts" group you created earlier. 3. browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.Leave the Source Starter GPO field set to "(none)". h. then click Check Names? Windows underlines the name if it is valid. double-click on the Act as part of the operating system entry. check the Define these policy settings checkbox. right-click on the newly created group policy object and select Edit from the pop-up menu that appears. In the Group Policy Management Editor that appears. f. Click Add User or Group? d. 6. c. Computers. In the window that opens. In the dialog that opens. in the left pane. Click OK again to close the rights properties dialog.

Otherwise it tells you that it cannot find the object and prompts you for an object name again. f. g. d. In the right pane. click Browse?" e. Computer. under Security Filtering. Computers. Click OK again to close the group properties dialog.4. 2. type in Administrators and click OK. type in the name of the "Splunk Accounts" group you created earlier. or Groups dialog that opens. In the properties dialog that appears. then click Check Names? Windows underlines the name if it is valid. click Add? 3. Click OK again to close the "Add User or Group" dialog. c. Service Accounts. Close the Group Policy Management Editor window to save the GPO. 5. GPMC displays information about the GPO in the right pane. type in "Splunk Enabled Computers" (or the name of the group that represents Splunk-enabled computers that you created earlier. browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. Restrict GPO application to select computers 1. if it is not already selected. In the right pane. In the dialog that appears.) 42 . in the GPMC's left pane. While still in the Group Policy Management Editor window. select the GPO you created and added rights to. In the Select User. in the left pane. While still in the GPMC. or Group dialog that appears. b. right-click and select Add Group? in the pop-up menu that appears. a. In the Select Users. Click OK to close the Select Users? dialog. h. In the Add Member dialog that appears. click the Add button next to Members of this group:.

Click Remove. 6. it tells you it cannot find the object and prompts you for an object name again. select the GPO you created and edited. 5. you can force a Group Policy update by running GPUPDATE /FORCE from a command prompt on the computer on which you want to update Group Policy. and select Link an Existing GPO? in the menu that pops up. in the GPMC's left pane. Click OK to return to the GPO information window. 43 . select the domain that you want to apply the GPO you created. and click OK. Windows underlines the name. Typically. Under Security Filtering. GPMC applies the GPO to the selected domain. Repeat Steps 2-5 to add the "Splunk Users" group (the group that represents Splunk user accounts that you created earlier. Alternatively. GPMC removes the "Authenticated Users" entry from the "Security Filtering" field. Close GPMC by selecting File > Exit from the GPMC menu. 3. Otherwise. you can install Splunk with a managed system account. click the Authenticated Users entry to highlight it. Click Check Names.4. While still in the GPMC.) 7. If the group is valid. Create and configure the MSA that you plan to use to monitor Windows data. leaving only "Splunk Users" and "Splunk Enabled Computers. Right click on the domain. 2. 8. 4. Follow these instructions to do so: 1. Install Splunk with a managed system account Alternatively. In the Select GPO dialog that appears. replication happens every 90-120 minutes. You must wait this amount of time before attempting to install Splunk as a domain user. Note: Active Directory controls when Group Policy updates occur and GPOs get applied to computers in the domain." Apply the GPO 1.

After installation is complete. Install Splunk from the command line as the "Local System" user. and will have access to all data that the MSA has access to. 2. In this instance. use the Windows Explorer or the ICACLS command line utility to grant the MSA "Full Control" permissions to the Splunk installation directory and all its sub-directories. follow these instructions to give administrative access to the user you want Splunk to run as on the computers you want to install Splunk on. Important: You must install Splunk from the command line and use the LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed. 3. Important: You must append a dollar sign ($) to the end of the username when completing Step 4 in order for the MSA to work properly. the correct user is the MSA you configured prior to installing Splunk. Splunk will run as the MSA configured above. 4. Prepare a local machine or non-AD network for Splunk installation If you are not using Active Directory. Windows grants this right to the MSA automatically. Follow the instructions in the topic "Correct the user selected during Windows installation" in this manual to change the default user for Splunk's service account. if the MSA is SPLUNKDOCS\splunk1. Note: If you use the Services control panel to make the service account changes. 44 . 6. You must do this for both the splunkd and splunkweb services. Confirm that the MSA has the "Log on as a service" right. Note: You might need to break NTFS permission inheritance from parent directories above the Splunk installation directory and explicitly assign permissions from that directory and all subdirectories. Start Splunk. 5.Note: You can use the instructions in "Prepare your Active Directory to run Splunk services as a domain account" earlier in this topic to assign the MSA the appropriate security policy rights and group memberships. then you must enter SPLUNKDOCS\splunk1$ in the appropriate field in the properties dialog for the service. For example.

3. double-click on the Act as part of the operating system entry. Give the user Splunk should run as administrator rights by adding the user to the local Administrators group. Click Add User or Group? c. Computers. f. Click OK again to close the rights properties dialog. a. Otherwise it tells you that it cannot find the object and prompts you for an object name again. b. In the right pane. or Groups dialog that opens. expand Local Policies and then click User Rights Assignment. g.. Click OK again to close the "Add User or Group" dialog. 45 . Service Accounts. 4. you can then install Splunk as the desired user. e. Repeat Steps 3a-3g for the following additional rights: • Bypass traverse checking • Log on as a batch job • Log on as a service • Replace a process-level token Once you have completed these steps. Click OK to close the "Select Users?" dialog. Start Local Security Policy by selecting Start > Administrative Tools > Local Security Policy. type in the name of the "Splunk Computers" group you created earlier. then click Check Names. Local Security Policy launches and displays the local security settings. In the Select Users. 2. In the dialog that opens. In the left pane.1. Windows underlines the name if it is valid. click Browse? d..

see "About forwarding and receiving". Unlike Splunk heavy and light forwarders. Any software with a device driver that intermediates between Splunk and the operating system can rob Splunk of processing power. The user you choose has specific ramifications on what you need to do prior to installing the software. Before you install Choose the Windows user Splunk should run as Before installing. Splunk for Windows and anti-virus software Splunk's indexing subsystem requires lots of disk throughput. If you attempt to run the 32-bit installer on a 64-bit system. Important: Running the 32-bit version of Splunk for Windows on a 64-bit Windows system is not recommended.Install on Windows This topic describes the procedure for installing Splunk on Windows with the Graphical User Interface (GUI)-based installer. causing slowness and even an unresponsive 46 . Upgrading? If you are upgrading Splunk Enterprise. review "How to upgrade Splunk" for instructions and migration considerations before proceeding. be aware that Splunk does not support changing the management or HTTP ports during an upgrade. Note: If you want to install the Splunk universal forwarder. More options (such as silent installation) are available if you install from the command line. be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs. which are full Splunk instances with some features changed or disabled. The performance is greatly improved over the 32-bit version. see the Forwarding Data manual: "Universal forwarder deployment overview". and more details can be found there. with its own set of installation procedures. the universal forwarder is an entirely separate executable. In particular. the installer will warn you of this. also in the Forwarding Data Manual. For an introduction to forwarders. We strongly recommend that you run 64-bit Splunk on 64-bit hardware.

Note: By default. 2. The installer runs and displays the Welcome panel. To start the installer. Important: If you choose to run Splunk as another user.msi file. To begin the installation.. that user must: • Be a member of an Active Directory domain (you cannot install Splunk as a local machine account other than the Local System account) 47 . Click Change. click Next. 1. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set. This includes anti-virus software.. or click Next to accept the default value. splunkd and splunkweb. These services install and run as the user you specify on this panel. It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes. 4. The installer displays the Destination Folder panel. Read the licensing agreement and select "I accept the terms in the license agreement". You can choose to run Splunk as the Local System user. you can click Next to continue. Splunk installs and runs two Windows services. 3. Splunk gets installed into \Program Files\Splunk on the system drive. double-click the splunk. Click Next to continue installing. Note: On each panel. before starting a Splunk installation. or another user. Back to go back a step. The installer displays the licensing panel. or Cancel to cancel the installation and quit the installer.system. to specify a different location to install Splunk. Install Splunk via the GUI installer The Windows installer is an MSI file. The installer displays the Logon Information panel.

use these instructions to switch to the correct user before starting Splunk. depending on the kinds of data you want to collect from remote machines. 6. Otherwise. 5. If you have not read the above linked topic beforehand. then stop the installation now and read that topic first. Read "Choose the Windows user Splunk should run as" for additional information on these permissions and rights requirements. Note: This must be a valid user in your security context. 48 . and • Have specific user rights. Splunk installs itself as the local system user by default. If desired. Then. 7. the installer displays the Logon Information: specify a username and password panel.• Have local administrator privileges on the machine which you are performing the installation. nor can it start with a machine account that is not the Local System account. You can proceed through the final panel of the installation. but uncheck the "Launch browser with Splunk" checkbox to prevent your browser from launching. If this occurs. Caution: If you specified the wrong user during the installation procedure. check the boxes to Launch browser with Splunk and Create Start Menu Shortcut now. Click Finish. and other additional permissions. Specify a username and password to install and run Splunk and click Next. If you selected the Local System user. Select a user type and click Next. Click Install to proceed. Splunk cannot start without a valid username and password. The installation completes. The installer displays the installation summary panel. and must be an active member of an Active Directory domain. Splunk does not start automatically in this situation. you will see two pop-up error windows explaining this. and Splunk Web launches in a supported browser if you checked the appropriate box. 8. Splunk starts. The installer runs and displays the Installation Complete panel. proceed to Step 7.

remember that anyone who has access to the machine can access your Splunk instance. • Change to the %SPLUNK_HOME%\bin directory. To change the splunk web service port: • Open a command prompt. Be sure to change the admin password as soon as possible and make a note of what you changed it to. Note: If you do not change your password.com • the URL of your Splunk instance Change the Splunk Web or splunkd service ports If you want the Splunk Web service or the splunkd service to use a different port. Avoid IE Enhanced Security pop-ups If you're using Internet Explorer to access Splunk. you can change the defaults. You can do so by entering a new password and clicking the Change password button. Log in using the default credentials: username: admin and password: changeme.Note: The first time you access Splunk Web after installation. login with the default username admin and password changeme. Do not use the username and password you provided during the installation process. The first time you log into Splunk successfully.splunk. add the following URLs to the allowed Intranet group or fully trusted group to avoid getting "Enhanced Security" pop-ups: • quickdraw. you'll be prompted right away to change your password. • Type in splunk set web-port #### and press Enter. or you can do it later by clicking the Skip button. 49 . you can either: • Click the Splunk icon in Start > Programs > Splunk or • Open a Web browser and navigate to http://localhost:8000. Launch Splunk in a Web browser To access Splunk Web after you start Splunk on your machine.

Unlike Splunk heavy 50 . Note: If you want to install the Splunk universal forwarder. If you run the 32-bit installer on a 64-bit system. Splunk will automatically select the next available port. Install on Windows via the command line This topic describes the procedure for installing Splunk on Windows from the command line. Install or upgrade license If you are performing a new installation of Splunk or switching from one license type to another. • Type in splunk set splunkd-port #### and press Enter.To change the splunkd port: • Open a command prompt. the installer will warn you about this. you must install or update your license. or if the default port is unavailable. Before installing. The performance is greatly improved over the 32-bit version. be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs. Important: Running the 32-bit version of Splunk for Windows on a 64-bit Windows system is not recommended. you can find out what comes next. • Change to the %SPLUNK_HOME%\bin directory. Note: If you specify a port and that port is not available. What's next? Now that you've installed Splunk. We strongly recommend that you run 64-bit Splunk on 64-bit hardware. see the Forwarding Data manual: "Universal forwarder deployment overview". if one isn't already. or you can review these topics in the Getting Data In Manual for information on adding Windows data to Splunk: • Monitor Windows Event Log data • Monitor Windows Registry data • Monitor WMI-based data • Considerations for deciding how to monitor remote Windows data.

the universal forwarder is an entirely separate executable. with its own set of installation procedures. Upgrading? If you are upgrading. For an introduction to forwarders. • You want to install Splunk on a system that you will clone later. be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific data collection needs. Anti-virus software . When to install from the command line? You can manually install Splunk on individual machines from a command prompt or PowerShell window. but don't want it to start right away.can rob Splunk of processing power. • You want to automate installation of Splunk with a script. Splunk for Windows and anti-virus software Splunk's indexing subsystem requires lots of disk throughput. The user you choose has specific ramifications on what you need to do prior to installing the software. also in the Forwarding Data Manual. 51 . review "How to upgrade Splunk" for instructions and migration considerations before proceeding. • You want to use a deployment tool such as Group Policy or System Center Configuration Manager. Here are some scenarios where installing from the command line is useful: • You want to install Splunk. see "About forwarding and receiving". be aware that Splunk does not support changing the management or HTTP ports during an upgrade. Before you install Choose the Windows user Splunk should run as Before installing.and light forwarders. causing slowness and even an unresponsive system.or any software with a device driver that intermediates between Splunk and the operating system . which are full Splunk instances with some features changed or disabled. In particular. and more details can be found there.

Note: The first time you access Splunk Web after installation.> varies according to the particular release. Command line flags allow you to configure Splunk at installation time.msi: msiexec.msi [<flag>]. Install Splunk from the command line You can install Splunk from the command line by invoking msiexec. use splunk-<. [/quiet] The value of <. before starting a Splunk installation. use splunku-<.. Using command line flags. 52 .. for example. Supported flags The following is a list of the flags you can use when installing Splunk for Windows via the command line..exe.>-x86-release.>-x64-release..0-125454-x64-release.It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes.. you can specify a number of settings..) • Whether or not Splunk should start up automatically when the installation is completed.>-x86-release..) • An included application configuration for Splunk to enable (such as the Splunk light forwarder. splunk-5.exe /i splunk-<..msi. log in with the default username admin and password changeme. • Which Windows Management Instrumentation (WMI) data to collect. • The user Splunk runs as (Important: Read "Choose the Windows user Splunk should run as" for information on what type of user you should install your Splunk instance with.exe /i splunk-<..>-x64-release.msi: msiexec. [/quiet] For 64-bit platforms. • Which Windows Registry hive(s) to monitor. including: • Which Windows event logs to index..... For 32-bit platforms..msi [<flag>].

Flag AGREETOLICENSE=Yes|No What it's for Use this flag to agree to the EULA. Use these flags to specify alternate ports for splunkd and splunkweb to use. Splunk will automatically select the next available port. with its own installation flags. Use these flags to specify alternate ports for splunkd and splunkweb to use. Review the supported installation flags for the universal forwarder in "Deploy a Windows universal forwarder from the command line" in the Forwarding Data manual. Use these flags to specify whether or not Splunk should index a particular Windows event log: Application log Security log System log Forwarder log Setup log 53 0 (off) WINEVENTLOG_APP_ENABLE=1/0 WINEVENTLOG_SEC_ENABLE=1/0 WINEVENTLOG_SYS_ENABLE=1/0 WINEVENTLOG_FWD_ENABLE=1/0 WINEVENTLOG_SET_ENABLE=1/0 . This No flag must be set to Yes for a silent installation. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set.Important: The Splunk universal forwarder is a separate executable. WEB_PORT=<port number> Note: If you specify a port and that port 8000 is not available. Splunk will automatically select the next available port. Default INSTALLDIR="<directory_path>" C:\Program Files\Splunk SPLUNKD_PORT=<port number> Note: If you specify a port and that port 8089 is not available. Use this flag to specify directory to install.

Use these flags to specify which popular WMI-based performance metrics Splunk should index: CPU usage Local disk usage Free disk space Memory statistics Caution: If you need this instance of Splunk to monitor remote Windows data. then you must also specify the LOGON_USERNAME and LOGON_PASSWORD 54 0 (off) 0 (off) WMICHECK_CPUTIME=1/0 WMICHECK_LOCALDISK=1/0 WMICHECK_FREEDISK=1/0 WMICHECK_MEMORY=1/0 . Note: You can set both of these at the same time. Note: You can set both of these at the same time.Note: You can specify multiple flags. Use this flag to specify whether or not Splunk should index events from REGISTRYCHECK_U=1/0 REGISTRYCHECK_BASELINE_U=1/0 capture a baseline snapshot of the Windows Registry user hive (HKEY_CURRENT_USER). Use this flag to specify whether or not Splunk should index events from 0 (off) REGISTRYCHECK_LM=1/0 REGISTRYCHECK_BASELINE_LM=1/0 capture a baseline snapshot of the Windows Registry machine hive (HKEY_LOCAL_MACHINE).

These specify that this instance of Splunk will function as a light forwarder or heavy forwarder. respectively. SPLUNK_APP="<SplunkApp>" Use this flag to specify an included none Splunk application configuration to enable for this installation of Splunk. Review "Choose the Windows user Splunk should run as" in this manual for additional information about which credentials to use. and additional permissions." LOGON_PASSWORD="<pass>" These flags are required if you want this Splunk installation to monitor any remote data. Currently supported options for <SplunkApp> are: SplunkLightForwarder and SplunkForwarder. Refer to the "About forwarding and receiving" topic in the 55 . The splunkd and splunkweb services are configured with these credentials. Use these flags to provide domain\username and password information for the user that Splunk will run as. Additionally. you must specify the domain with LOGON_USERNAME="<domain\username>" the username in the format none "domain\username. Splunk can not collect any remote data that it does not have explicit access to. For the LOGON_USERNAME flag.installation flags. the user you specify requires specific rights. There are many more WMI-based metrics that Splunk can index. administrative privileges. which you must configure before installation. Read "Choose the Windows user Splunk should run as" in this manual for additional information about the required credentials. Review "Monitor WMI Data" in the Getting Data In Manual for specific information.

Enter the deployment server's none name (hostname or IP address) and port. the installer configures Splunk to start automatically. with its own installation flags. and ignores this flag. To install Splunk with no applications at all. LAUNCHSPLUNK=0/1 FORWARD_SERVER="<server:port>" none DEPLOYMENT_SERVER="<host:port>" Important: If you enable the Splunk Forwarder by using the SPLUNK_APP flag. Use this flag to specify whether or not the installer should create a shortcut to Splunk on the desktop and in the Start 56 1 (on) INSTALL_SHORTCUT=0/1 1 (on) . Important: The full version of Splunk does not enable the universal forwarder.Forwarding Data manual for more information. Important: This flag requires that the SPLUNK_APP flag also be set. The universal forwarder is a separate downloadable executable. Note: If you specify either the Splunk forwarder or light forwarder here. you must also specify FORWARD_SERVER="<server:port>". Specify the server and port of the Splunk server to which this forwarder will send data. Use this flag *only* when you are also using the SPLUNK_APP flag to enable either the Splunk heavy or light forwarder. Use this flag to specify whether or not Splunk should start up automatically on system boot. simply omit this flag. Use this flag to specify a deployment server for pushing configuration updates.

exe /i Splunk. Silent installation To run the installation silently. Silently install Splunk to run as the Local System user msiexec. Launch Splunk in a Web browser To access Splunk Web after you start Splunk on your machine.exe /i Splunk.exe /i Splunk. and run the installer in silent mode msiexec. enable indexing of the Windows System event log. add /quiet to the end of your installation command string. you can either: • Click the Splunk icon in Start>Programs>Splunk or • Open a Web browser and navigate to http://localhost:8000. To do this: when opening a cmd prompt. right click and select "Run As Administrator".msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123" Enable SplunkForwarder. Then use this cmd window to run the silent install command. 57 . If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator.Menu.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.msi /quiet Enable SplunkForwarder and specify credentials for the user Splunk will run as msiexec. Examples The following are some examples of using different flags.

To change the user: 58 .splunk. what comes next? You can also review this topic about considerations for deciding how to monitor Windows data in the Getting Data In manual. What's next? Now that you've installed Splunk. uninstall it and reinstall it. Correct the user selected during Windows installation If you have selected "other user" during the Windows GUI installation. If you have started Splunk. you can find out what comes next. Now that you've installed Splunk. you can go into the Windows Service Control Manager and specify the correct information. If you specified an invalid user during the Windows GUI installation process.Log in using the default credentials: username: admin and password: changeme . you must stop it. Be sure to change the admin password as soon as possible and make a note of what you changed it to. you must install or update your license. add the following URLs to the allowed Intranet group or fully trusted group in IE: • quickdraw. and that user does not exist or perhaps you mistyped the information.com • the URL of your Splunk instance Install or upgrade license If you are performing a new installation of Splunk or switching from one license type to another. you will see two popup error windows. Avoid IE Enhanced Security pop-ups To avoid IE Enhanced Security pop-ups. as long as you have not started Splunk yet.

3. 59 . 5. You can now either start both services from the Service Manager or from the Splunk command line interface. 8. You'll notice that they are not started and are currently owned by the Local System User. 4.1. find the splunkd and splunkweb services. Select the Log On tab. In Control Panel > Administrative Tools > Services. Click Apply. Right click on each service and choose Properties. The properties dialog for that service is displayed. Repeat Steps 2 through 6 for the second service (you must do this for both splunkd and splunkweb). 6. 2. Click OK. 7. Select the This account radio button and fill in the correct domain\username and password.

RedHat RPM install To install the Splunk RPM in the default directory /opt/splunk: rpm -i splunk_package_name.rpm To upgrade an existing Splunk installation that was done in a different directory. use the --prefix flag: 60 . review "How to upgrade Splunk" for instructions and migration considerations before proceeding. see the Forwarding Data manual: "Universal forwarder deployment overview". Linux or Mac OS X Install on Linux You can install Splunk on Linux using RPM or DEB packages. Note: If you want to install the Splunk universal forwarder.Install Splunk Enterprise on Unix. or a tar file. For an introduction to forwarders. use the --prefix flag: rpm -i --prefix=/opt/new_directory splunk_package_name.rpm To upgrade an existing Splunk installation that resides in /opt/splunk using the RPM: rpm -U splunk_package_name. with its own set of installation procedures. the universal forwarder is an entirely separate executable. see "About forwarding and receiving". Unlike Splunk heavy and light forwarders. Upgrading? If you are upgrading. which are full Splunk instances with some features changed or disabled.rpm To install Splunk in a different directory.

rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm will install in the default location of /opt/splunk. For example, to upgrade to the existing directory of $SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to your kickstart file:

./splunk start --accept-license ./splunk enable boot-start

Note: The second line is optional for the kickstart file.

Debian DEB install
To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location, /opt/splunk.

Tar file install
To install Splunk on a Linux system, expand the tarball into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

61

Note: When you install Splunk with a tarball: • Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tarball in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem. • Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing. • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed
Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: • $SPLUNK_HOME to identify the path to your Splunk installation. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

62

Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port. • hostname is the host machine. • port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on Solaris
You can install Splunk on Solaris with a PKG packages, or a tar file. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.
63

use the same command line as you would for a fresh install. pkgadd -d ./splunk_product_name. In the default or custom configuration file. leave this blank. This will prevent the upgrade from creating a second splunk package (with instance=unique).pkg 64 .pkg A list of the available packages is displayed. set instance=overwrite. you should use the instance parameter. To upgrade using a custom configuration file. PKG file install The PKG installation package includes a request file that prompts you to answer a few questions before Splunk installs. For information about the instance parameter.pkg You will be prompted to overwrite any changed files. The installer then prompts you to specify a base installation directory. type: pkgadd -a conf_file -d . see the Solaris man page (man -s4 admin). answer yes to every one./splunk_product_name. either in the system's default package installation configuration file (/var/sadm/install/admin/default) or in a custom configuration file that you define and call. PKG file upgrade To upgrade an existing Splunk installation using a PKG file. To upgrade Splunk using the system's default package installation file. or failing (with instance=quit). • Select the packages you wish to process (the default is "all")./splunk_product_name. pkgadd -d . • To install into the default directory.Install Splunk Splunk for Solaris is available as a PKG file or a tar file. /opt/splunk.

you must create the user manually before installing. type: pkgadd -n -d . use the following command: tar xvzf splunk_package_name. you can use the uncompress command instead. • If the gzip binary is not present on your system. This method will work for any accessible directory on your machine's filesystem. What gets installed Splunk package info: pkginfo -l splunk List all packages: 65 . expand the tarball into an appropriate directory using the tar command: tar xvzf splunk_package_name.tar.tar.Z The default install directory is splunk in the current working directory. if you want to install in /opt/splunk. If you want Splunk to run as a specific user.Z -C /opt Note: When you install Splunk with a tar file: • Some non-GNU versions of tar might not have the -C argument available. In this case. To install into /opt/splunk. either cd to /opt or place the tarball in /opt before running the tar command.To run the upgrade silently (and not have to answer yes for every file overwrite). • Splunk does not create the splunk user automatically. • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.pkg tar file install To install Splunk on a Solaris system./splunk_product_name.

make sure that Splunk has the appropriate permissions to read the inputs that you specify. where: • mysplunkhost is the host machine. 1./splunk start By convention. run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk): . In a browser window. Startup options The first time you start Splunk after a new installation. To start Splunk from the command line interface. If you switch to Splunk Free. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.pkginfo Start Splunk Splunk can run as any user on the local system. Launch Splunk Web and log in After you start Splunk and accept the license agreement. Splunk Web prompts you for login information (default. access Splunk Web at http://mysplunkhost:port. username admin and password changeme) before it launches. you must accept the license agreement. For more information. you will 66 . Splunk's documentation uses: • $SPLUNK_HOME to identify the path to your Splunk installation. 2. To start Splunk and accept the license in one step: $SPLUNK_HOME/bin/splunk start --accept-license Note: There are two dashes before the accept-license option. refer to the instructions on running Splunk as a non-root user. If you run Splunk as a non-root user. • port is the port you specified during the installation (8000).

bypass this logon page in future sessions. Graphical install 1. or a tar file. • tar file install. If one exists. what comes next? Uninstall Splunk Enterprise To learn how to uninstall Splunk Enterprise.pkg opens. Install on Mac OS You can install Splunk on Mac OS X using a DMG package. use the tar file. 2.pkg. double-click on splunk. A Finder window containing splunk. In the Finder window. Installation options The Mac OS build comes in two forms: a DMG package and a tar file. 67 . Below are instructions for the: • Graphical (basic) and command line installs using the DMG file. The pkg installer cannot install a second instance. review "How to upgrade Splunk" for instructions and migration considerations before proceeding. Note: if you require two installations in different locations on the same host. What's next? Now that you've installed Splunk. Upgrading? If you are upgrading. read "Uninstall Splunk Enterprise" in this manual. it will remove it upon successful install of the second. Double-click on the DMG file.

Click Continue. Click Install. Click Continue. Command line install 1.The Splunk installer opens and displays the Introduction.pkg -target / • To a different disk of partition: 68 . click on the harddrive icon. • To install in the default directory. It might take a few minutes. click Finish. which lists version and copyright information. 7. click Choose Folder. To mount the dmg: hdid splunk_package_name.. 6. If you need to make changes. When your install completes. The installer places a shortcut on the Desktop. 3. The Select a Destination window opens. • Click Change Install Location to choose a new folder. /Applications/splunk..dmg 2. Your installation will begin. • To select a different location. To Install • To the root volume: installer -pkg splunk. Choose a location to install Splunk. or • Click Back to go back a step. 5. The pre-installation summary displays. 4.

where Splunk will be installed in /Applications/splunk.installer -pkg splunk. Start Splunk from the Finder To start Splunk from the Finder. make sure that Splunk has the appropriate permissions to read the inputs that you specify. tar file install To install Splunk on a Mac OS. entitled "Splunk's Little Helper". -target To install into a directory other than /Applications/splunk on any volume.tgz -C /Applications Note: When you install Splunk with a tarball: • Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user. expand the tarball into an appropriate directory using the tar command: tar xvzf splunk_package_name. To install into /Applications/splunk. Click OK to allow Splunk to initialize and set up the 69 . double-click the Splunk icon on the Desktop to launch the Splunk helper application. use the following command: tar xvzf splunk_package_name. you must create the user manually before installing.pkg -target /Volumes\ Disk specifies a target volume. Note: The first time you run the helper application.tgz The default install directory is splunk in the current working directory. • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. If you run Splunk as a non-root user. it notifies you that it needs to perform a brief initialization. such as another disk. use the graphical installer as described above. Start Splunk Splunk can run as any user on the local system.

only the helper application. run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk): . the Splunk helper application performs the requested application and terminates. you must accept the license agreement. it displays a dialog that offers several choices: • Start and Show Splunk: This option starts Splunk and directs your web browser to open a page to Splunk Web. This does not affect the Splunk instance itself. • Only Start Splunk: This choice starts Splunk. but does not open Splunk Web in a browser. The Splunk helper application can also be used to stop Splunk if it is already running. 70 . To start Splunk and accept the license in one step: $SPLUNK_HOME/bin/splunk start --accept-license Note: There are two dashes before the accept-license option. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface. You can run the helper application again to either show Splunk Web or stop Splunk. Startup options The first time you start Splunk after a new installation./splunk start By convention. this document uses: • $SPLUNK_HOME to identify the path to your Splunk installation. Once you make your choice. Once the helper application loads. Start Splunk from the command line To start Splunk from the command line interface. • Cancel: Tells the helper application to quit.trial license.

2. Splunk Web prompts you for login information (default. what comes next? Uninstall Splunk Enterprise To learn how to uninstall Splunk Enterprise. What's next? Now that you've installed Splunk. Install on FreeBSD The FreeBSD builds comes in two forms: an installer (5. Upgrading? If you are upgrading. access Splunk Web at http://<hostname>:port • hostname is the host machine. username admin and password changeme) before it launches. 1. Install the port: portsnap fetch update 71 .Launch Splunk Web and log in After you start Splunk and accept the license agreement. Both are gzipped tar (. In a browser window. If you switch to Splunk Free.tgz) files. Prerequisites For FreeBSD 8 . Splunk requires compatibility packages.4-intel) and a tar file (i386). To install the compatibility package: 1. you will bypass this logon page in future sessions. • port is the port you specified during the installation (the default port is 8000). review "How to upgrade Splunk" for instructions and migration considerations before proceeding. read "Uninstall Splunk Enterprise" in this manual.

but this is not explicitly tested.cd /usr/ports/misc/compat7x/ && make install clean 2. tar file install To install Splunk on a FreeBSD system. There are some add-on utilities which try to manage it.1-intel. To upgrade a package on FreeBSD you can either uninstall the prior package. /opt/splunk. If /opt does not exist.1-intel. Add the package: pkg_add -r compat7x-amd64 Basic install To install FreeBSD using the intel installer: pkg_add splunk_package_name-6. If you don't.tgz -C /opt Note: When you install Splunk with a tar file: 72 . since best practices for FreeBSD maintain a small root ("/") filesystem. you might receive an error message.tgz The FreeBSD package system does not have native upgrade support. use the following command: tar xvzf splunk_package_name. To install Splunk in a different directory: pkg_add -v -p /usr/splunk splunk_package_name-6.tgz The default install directory is splunk in the current working directory. and install the new package. Splunk recommends that you create a symbolic link to another filesystem and install Splunk there.tgz Important: This installs Splunk in the default directory. To install into /opt/splunk. you will need to create it prior to running the install command. or you can upgrade the existing installation using a tar file install as below. expand the tar file into an appropriate directory using the tar command: tar xvzf splunk_package_name.

if you want to install in /opt/splunk. either cd to /opt or place the tar file in /opt before running the tar command. reduce the values accordingly.conf kern. What gets installed To see the list of Splunk packages: pkg_info -L splunk To list all packages: pkg_info 73 .max_proc_mmap=2147483647 A restart of the OS is required for the changes to effect. Add the following to /boot/loader. After you install To ensure that Splunk functions properly on FreeBSD.conf: vm.dfldsiz="2147483648" # 2GB machdep.hlt_cpus=0 2. • Splunk does not create the splunk user automatically. Add the following to /etc/sysctl. In this case. you must: 1. If your server has less than 2 GB of memory. This method will work for any accessible directory on your machine's filesystem. you must create the user manually before installing. If you want Splunk to run as a specific user.• Some non-GNU versions of tar might not have the -C argument available.maxdsiz="2147483648" # 2GB kern. • Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: • $SPLUNK_HOME to identify the path to your Splunk installation. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port • hostname is the host machine. • port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

74

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise
To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on AIX
You can install Splunk on AIX using a tar file. Important: The user Splunk is installed as must have permission to read /dev/urando and /dev/random or the installation will fail. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

Install Splunk
The AIX install comes in tar file form. When you install with the tar file: • Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually. • Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. • We recommend you use GNU tar to unpack the tar files, as AIX tar can fail to unpack long file names, fail to overwrite files, and other problems. If you must use the system tar, be sure to check the output for error messages. To install Splunk on an AIX system, expand the tar file into an appropriate directory. The default install directory is /opt/splunk. For AIX 5.3, check to make sure your service packs are up to date. Splunk requires the following service level:

75

$ oslevel -r 5300-005

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: • $SPLUNK_HOME to identify the path to your Splunk installation. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Note: The AIX version of Splunk does not register itself to auto-start on reboot. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. For more information, refer to "Splunk startup options" in this manual. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port • hostname is the host machine.
76

• Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. you will bypass this logon page in future sessions. 2. If you switch to Splunk Free. 77 . GNU tar is a pre-requisite. What's next? Now that you've installed Splunk. When you install with the tar file: • Splunk does not create the splunk user automatically. The default install directory is /opt/splunk. NOTE: The system default tar on HP-UX will not successfully extract the splunk tar. using GNU tar. what comes next? Uninstall Splunk Enterprise To learn how to uninstall Splunk Enterprise. review "How to upgrade Splunk" for instructions and migration considerations before proceeding. If you want Splunk to run as a specific user. Upgrading? If you are upgrading. username admin and password changeme) before it launches.• port is the port you specified during the installation (the default port is 8000). Install on HP-UX You can install Splunk on HP/UX using a tar file. read "Uninstall Splunk Enterprise" in this manual. or you can unpack the tar on another platform. into an appropriate directory. Splunk Web prompts you for login information (default. you must create the user manually. To install Splunk on an HP-UX system. expand the tar file.

1. If you run Splunk as a non-root user. username admin and password changeme) before it launches. Splunk Web prompts you for login information (default. make sure that Splunk has the appropriate permissions to read the inputs that you specify. In a browser window. 2. If you switch to Splunk Free. you will 78 . access Splunk Web at http://<hostname>:port • hostname is the host machine. this document uses: • $SPLUNK_HOME to identify the path to your Splunk installation.Start Splunk Splunk can run as any user on the local system. To start Splunk from the command line interface. Launch Splunk Web and log in After you start Splunk and accept the license agreement. Startup options The first time you start Splunk after a new installation. • port is the port you specified during the installation (the default port is 8000). you must accept the license agreement. Note: The HP-UX version of Splunk does not register itself to auto-start on reboot./splunk start By convention. To start Splunk and accept the license in one step: $SPLUNK_HOME/bin/splunk start --accept-license Note: There are two dashes before the accept-license option. • $SPLUNK_HOME/bin/ to indicate the location of the command line interface. run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk): .

• Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to).bypass this logon page in future sessions. What's next? Now that you've installed Splunk. You can. Run Splunk as a different or non-root user Important: This topic is for non-Windows operating systems only. Note: In the following examples. read "Choose the user Splunk should run as" in this manual. splunk. however install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead. 79 . Splunk will only be able to listen on port 514 (the default listening port for syslog) if it is running as root. you need to first install Splunk as root. The following are instructions to install Splunk and run it as a non-root user. before you start Splunk for the first time. Some log files and directories may require root or superuser access to be indexed. • Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input. read "Uninstall Splunk Enterprise" in this manual. Note: Because ports below 1024 are reserved for root access only. You can run Splunk as any user on the local system. change the ownership of the splunk directory to the desired user. $SPLUNK_HOME represents the path to the Splunk installation directory. Then. To learn how to install Splunk on Windows using a user. Instructions To run Splunk as a non-root user. If you run Splunk as a non-root user. what comes next? Uninstall Splunk Enterprise To learn how to uninstall Splunk Enterprise. make sure Splunk has the appropriate permissions to: • Read the files and directories it is configured to watch.

Refer to your system's man pages for additional information. you can use the sudo command: sudo -H -u splunk $SPLUNK_HOME/bin/splunk start This example command assumes: • If Splunk is installed in an alternate location.1. if you want to start Splunk as the splunk user while you are logged in as a different user. splunk. • Your system may not have sudo installed. If this is the case. For Linux. Create the user and group. Important: Do not start Splunk yet. 3. Start Splunk. and FreeBSD: useradd splunk groupadd splunk For Mac OS: You can use the System Preferences > Accounts panel to add users and groups. As root and using one of the packages (not a tar file). Solaris. update the path in the command accordingly. 2. 4. If your system's chown binary does not support changing group ownership of files. run the installation. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user. $SPLUNK_HOME/bin/splunk start Also. you can use 80 . you can use the chgrp command to do so. chown -R splunk $SPLUNK_HOME Note: You might also need to change the group ownership for files in the Splunk directory.

proc_fork splunk To allow the splunk user to bind to reserved ports on Solaris 10. you must set additional privileges to start splunkd and bind to reserved ports. you must create that user manually. run (as root): # usermod -K defaultpriv=basic.net_privaddr splunk 81 . • The splunk user will need access to /dev/urandom to generate the certs for the product.proc_exec.net_privaddr. run: # usermod -K defaultpriv=basic. Solaris 10 privileges When installing on Solaris 10 as the splunk user. To start splunkd as the splunk user on Solaris 10.su. • If you are installing using a tar file and want Splunk to run as a particular user (such as splunk).

described later in this section. Other start options To accept the license automatically when you start Splunk for the first time. replace $SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in the default location. go to C:\Program Files\Splunk\bin and type: splunk start (For Windows users: in subsequent examples and information. For more information. Using the command line offers more options. read "Hardening Standards" in the Securing Splunk Manual. add the accept-license option to the start command: 82 . To start Splunk: On Windows You can start Splunk on Windows using either the command line.) On UNIX Use the Splunk command-line interface (CLI): $SPLUNK_HOME/bin/splunk start Splunk then displays the license agreement and prompts you to accept before the startup sequence continues. you should take a few moments to make sure that Splunk and your data are secure.Start using Splunk Enterprise Start Splunk for the first time Important: Before you begin using your new Splunk upgrade or installation. or the Windows Services Manager. You can also add %SPLUNK_HOME% as a system-wide environment variable by using the System Properties dialog's Advanced tab. In a cmd window.

• Splunk answers yes to any yes/no question. Starting splunkweb.$SPLUNK_HOME/bin/splunk start --accept-license The startup sequence displays: Checking prerequisites.. All preliminary checks passed. If you run start with all three options in one line. Checking index directory. Splunk proceeds with startup and automatically answers "yes" to all yes/no questions.. Starting splunkd. sampledata. _thefishbucket. Verifying databases. and quits. Then. The Splunk web interface is at http://<hostname>:8000 Note: If the default ports are already in use (or are otherwise not available). splunklogger. summary Checking index files All index checks passed. main. Checking http port [8000]: open Checking mgmt port [8089]: open Verifying configuration. 83 . history.. • Splunk quits when it encounters a non-yes/no question. Verified databases: _audit. why it is quitting... it displays the question. Finished verifying configuration. _internal. Splunk displays the question and answer as it continues.. You can either accept this option or specify a port for Splunk to use.. Splunk Server started.. • If you run SPLUNK_HOME/bin/splunk start --answer-yes. for example: $SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license • Splunk does not ask you to accept the license... This may take a while. Splunk will offer to use the next available port... There are two other start options: no-prompt and answer-yes: • If you run $SPLUNK_HOME/bin/splunk start --no-prompt. Splunk proceeds with startup until it requires you to answer a question. _blocksignature.

admin Password . here are some links to get you started: 84 .changeme Splunk Free does not have access controls. refer to the CLI help page: $SPLUNK_HOME/bin/splunk help start Launch Splunk Web Navigate to: http://mysplunkhost:8000 Use whatever host and port you chose during installation. What happens next? Now that you've got Splunk installed on one server. The objects include: • splunkd. Splunk's Web interface process. • splunkweb. the default login details are: Username . For example. the Splunk server daemon.Start and disable individual processes You can start and stop individual Splunk processes by adding the process as an object to the start command. The first time you log in to Splunk Enterprise. to start only splunkd: $SPLUNK_HOME/bin/splunk start splunkd To disable splunkweb: $SPLUNK_HOME/bin/splunk disable webserver For more information about start.

Splunk also understands that use of a GUI is occasionally preferred. Accessibility of Splunk Web and the CLI The Splunk command line interface (CLI) is fully accessible. • Add and manage users. or mobility restrictions). • Learn how to search. This topic discusses how Splunk addresses accessibility within the product for users of AT. from gigabytes to terabytes per day. Splunk + WebSphere). • Plan your Splunk deployment. and includes a superset of the functions available in Splunk Web. go to Splunk Web and select the app in Launcher to go directly to the app?s setup page. search for the app name on Splunkbase. report. • Form fields are consistently and appropriately labeled. The CLI is designed for usability for all users. and Splunk therefore recommends the CLI for users of AT (specifically users with low or no vision. both in accordance with Section 508 of the United States Rehabilitation Act of 1973. and ALT text describes functional elements and images. • Estimate how much space you will need to store your Splunk data. monitor. If you downloaded Splunk packaged with an app (for example. regardless of accessibility needs. As a result. even for non-sighted users. Splunk Web is designed with the following accessibility features: • Form fields and dialog boxes have on-screen indication of focus. 85 . buttons or other elements that do not have browser-implemented visual focus. To see more information about the setup and deployment for a packaged app. • No additional on-screen focus is implemented for links. and how it's different. Learn about Splunk's accessibility Splunk is dedicated to maintaining and enhancing its accessibility and usability for users of assistive technology (AT). as supported by the Web browser.• Learn what Splunk is. and in terms of best usability practices. and more • One of Splunk's biggest differences from traditional technologies is that it classifies and interprets data at search-time. Learn what this means and how to use it. what it does. • Learn how to add your data to Splunk.

• Splunk does not override user-defined style sheets. Close the Keyboard preferences dialog. In the menu bar. use system preferences instead of browser preferences. using real-time search causes the page to update. click [Apple icon]>System Preferences>Keyboard to open the Keyboard preferences dialog. 2. • Most data tables implemented with HTML use headers and markup to identify data as needed. where it says Full Keyboard Access. Real-time search is easily disabled. However. 3. either at the deployment or user/role level. such that information conveyed with color is available without color. Accessibility and real-time search Splunk Web does not include any blinking or flashing components. 86 . For greatest ease and usability. Underlying data output in comma separated value (CSV) format have appropriate headers to identify data. • Data visualizations in Splunk Web have underlying data available via mouse-over or output as a data table. In the Keyboard preferences dialog. click the All controls radio button. click the Keyboard Shortcuts button at the top. • Data tables presented using Flash visually display headers. 4. If Firefox is already running. exit and restart the browser. Keyboard navigation using Firefox and Mac OS X To enable Tab key navigation in Firefox on Mac OS X. 5. Near the bottom of the dialog. Refer to "How to restrict usage of real-time search" in the Search Manual for details on disabling real-time search. To enable keyboard navigation: 1. Splunk recommends the use of the CLI with real-time functionality disabled for users of AT (specifically screen readers).

Install a Splunk Enterprise license About Splunk licenses Splunk takes in data from sources you designate and processes it so that you can analyze it in Splunk. pools. begin by reading: • "How Splunk licensing works" in the Admin Manual. For information about the indexing process. 87 . 2. Install a license This topic discusses installing new licenses. refer to "What Splunk does with your data" in the Getting Data In Manual. you may want to review these topics: • Read "How Splunk licensing works" in the Admin Manual for an introduction to Splunk licensing. Before you proceed. stacks. Add a new license To add a new license: 1. For more information about Splunk licenses. and other terminology" in the Admin Manual for more information about Splunk license terms. • "Types of Splunk licenses" in the Admin Manual. • "More about Splunk Free" in the Admin Manual. Navigate to Settings > Licensing. Splunk licenses specify how much data you can index per day. We call this process indexing. Click Add license. • Read "Groups.

To obtain a reset license. you will get a violation warning. Note: Summary indexing volume is not counted against your license. The message persists for 14 days. If you get a violation warning.3.. or when you apply a temporary reset license (available for Enterprise only). Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days. Either click Choose file and navigate to your license file and select it. you must restart Splunk. or click copy & paste the license XML directly. During a license violation period: 88 . If this is the first Enterprise license that you are installing. 4. Your license is installed. contact your sales rep. and paste the text of your license file into the provided field. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period. you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period.. License violations Violations occur when you exceed the maximum indexing volume allowed for your license. you are in violation of your license and search will be disabled. Click Install. If you exceed your licensed daily volume on any one calendar day.

More licensing information is available in the "Manage Splunk licenses" chapter in the Admin Manual. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem.• Splunk does not stop indexing your data. • Searches to the _internal index are not disabled. Got license violations? Read "About license violations" in the Admin Manual or "Troubleshooting indexed data volume" from the Splunk Community Wiki. 89 . Splunk only blocks search while you exceed your license.

What's new and awesome in 6. 90 . or other means. When backing up your Splunk data. you upgrade Splunk by installing the latest package over your existing installation. You can manage your risk by using technology that allows you to restore your Splunk install and data to a state prior to the upgrade. Review the known issues in the Release Notes for a list of issues and workarounds in this release. as well as any indexes outside of it. the installer package detects when you have a version installed and offers to upgrade it for you.0? Read "Meet Splunk 6. consider the $SPLUNK_HOME directory. Always back up your existing deployment first Get into the habit of backing up your existing deployment before any upgrade or migration. whether you use external backups.0.Upgrade or migrate Splunk Enterprise How to upgrade Splunk This topic discusses how to upgrade Splunk and its components from one version to another. be sure to upgrade it using an administrative level account.0" in the Release Notes for a full list of the new features we've delivered in 6. In many cases. read the topics "Back up configuration information" in the Admin Manual and "Back up indexed data" in the Managing Indexers and Clusters Manual. On Windows systems. disk or file system snapshots. For more information about backing up your Splunk deployment. Note: When upgrading Splunk.

FreeBSD.0 and later to version 6.3 first before attempting an upgrade to 6. If you are running a version of Splunk earlier than 4. HP-UX.0 on Linux. read about important migration information before upgrading Important: Before upgrading.0 from versions older than 4. Read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual for specific details.0. Solaris.3 is not officially supported. read the rest of this topic first before proceeding with the installation instructions linked below. • Upgrade to 6.0. be sure to read "Upgrade your distributed environment" in the Distributed Deployment Manual for guidance on how to do so with minimal impact.0.0: READ THIS FIRST" for specific migration tips and information that might affect you. master nodes.3 READ THIS FIRST" for specific details on how to upgrade to version 4. 91 . Upgrade from 5. Upgrade distributed deployments If you're planning to upgrade your distributed Splunk environment.0 or later. you must upgrade all nodes (including search heads.0 and later Splunk supports a direct upgrade from versions 5. If you plan to upgrade your clustered environment. Read "About upgrading to 4.3 Splunk also supports a direct upgrade from version 4.0 on Windows Upgrade from 4.3.3 and later to version 6. Upgrade clustered environments Important: All nodes of a clustered Splunk environment must run the same version of Splunk. AIX. Upgrading directly to 6. and MacOS • Upgrade to 6. If you're upgrading from 5.3.Then. be sure to read "About upgrading to 6. and peer nodes) in the cluster at the same time. then you should upgrade to 4.

please check Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6. the way you do things in Splunk Web on version 6 has changed from how you would do things in previous versions of the product.0.0 is the new user interface.0. • From version 4. be sure to read the appropriate upgrade topic for your operating system: • Upgrade the Windows universal forwarder • Upgrade the Unix universal forwarder To learn about interoperability and compatibility between indexers and universal forwarders. but here are a few things you should be aware of when installing the new version: You want to know this stuff We have changed the Splunk Enterprise user interface.0. 92 . • From version 4. Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.3 and later is pretty simple.0. To that end. If you are considering an upgrade to this release.significantly One of the biggest and most important things that you will notice after you upgrade to version 6. read "Indexer and universal forwarder compatibility" in the "Deployment Overview" topic of the Forwarding Data manual. We have transformed how you access Splunk through Splunk Web.0 from 4.0 .3 or later directly to 6.3 or later to 5.0. Splunk Enterprise supports the following upgrade paths to Version 6.0 of the software: • From version 5..Upgrade universal forwarders Upgrading universal forwarders is a different process than upgrading full Splunk. Upgrading to 6.0 or later to 6. About Upgrading to 6.. and then from version 5.0 from an earlier version.0. Before upgrading your universal forwarders.READ THIS FIRST This topic contains some important information and tips that you should read before upgrading to version 6.0 or later to 6.

is now known as Home. make sure you have enough free space on the volume(s) that contain Splunk indexes and search dispatch 93 .0. Read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual for specific details. We have changed a number of the Splunk terms that you've come to know Along with a changed user interface. • For an introduction on how to access Splunk Web using the new interface. read "How Splunk Web procedures have changed from version 5 to version 6" in this manual. be sure to read "Changes for Splunk app developers" to find out how to build or migrate your existing apps to work properly with version 6. Splunk's main configuration interface. Before you upgrade. We have changed some application development parameters and procedures If you develop any type of Splunk app. If you plan to upgrade your clustered environment. We have increased the default amount of required available disk space for indexing and searching Prior to version 6.• For a list of some of the things that have changed in Splunk Web. • "TSIDX stats" are now known as indexed field statistics. • Launcher. • Saved searches are now known as reports. When you upgrade. you must upgrade all nodes (including search heads. • A saved search with an alert is now known as an alert. master nodes. Splunk raises this default requirement to 5 gigabytes. the default amount of free space Splunk needed to index and search was 2 gigabytes. and peer nodes) in the cluster at the same time. is now known as Settings. Other notable changes Upgrade all nodes in a clustered environment at the same time All nodes of a clustered Splunk environment must run the same version of Splunk. check out the updated Splunk Search Tutorial. we've also changed a number of the terms you've been used to when using Splunk. the initial menu you see when you run Splunk. Here's a list of some of them: • Manager.

directories to ensure uninterrupted index and search operation. We have reduced the maximum real-time search multiplier attribute in limits.conf: Number of CPU cores * max_searches_per_cpu + base_max_searches * max_rt_search_multiplier The max_rt_search_multiplier attribute's default value was 3. In Splunk version 5. When you upgrade.conf after the upgrade. you might notice that Splunk uses up to an additional 7 percent of available disk space on the server which hosts that index.conf will no longer function for any new sourcetypes defined for structured data extraction.x. based on attributes from limits. read "Extract data from files with headers" in the Getting Data In Manual. When you upgrade. Splunk no longer uses CHECK_FOR_HEADER for field extraction from structured data files The deprecated CHECK_FOR_HEADER attribute in props. you used to be able to run a number of searches equal to the following formula. we have extended the retention period of the _internal index from 28 days to 30 days. when you upgrade. This change does not impact structured data definitions created prior to the upgrade . This means that. Splunk reduces the default value to 1. This means that your real-time search capacity will be effectively reduced by 66% unless you reset this attribute by editing a copy of limits. For information on Splunk's new structured data field extraction capabilities. attempts to use CHECK_FOR_HEADER will result in Splunk logging an error and disabling the associated definition. We have extended the _internal index's retention period In an effort to provide better statistics on license usage. 94 .those definitions will continue to work with the CHECK_FOR_HEADER attribute.conf We have reduced how many real-time searches a Splunk system can run by default.

This is because Splunk assigns each view state a module ID. some dashboards will display visible axis titles which did not exist prior to the upgrade. to set these default time ranges. and the default view loads when you use the upgraded version.cfg. Selecting the time range in the time range picker in a view will no longer have any affect. Splunk does not preserve the view state through the upgrade. you must now set it in instance. We have changed how you set the default search time range Prior to version 6.The "Results Display Option" dialog for search queries does not retain changes through an upgrade If you make changes to the results display options for a given search query in version 5. To learn how to use this file to set time ranges. View states do not persist during the upgrade If you make a change to a view state (such as adjusting the number of items to show per page in the flash timeline) and then upgrade Splunk.0. ui-prefs.conf. Once you upgrade. Splunk does not retain those choices through an upgrade. you could set the default search time range by selecting the desired entry in the flash timeline. 95 . In Splunk 6. read "Change the default selected time range" in the Search Manual. you must use a configuration file. Some upgraded dashboards display visible axis titles where they did not before When you upgrade. use the visualizations editor to remove the titles. which changes when you modify the view state's XML (by modifying the view). You must make those changes again after the upgrade is complete. instead of setting the GUID in server.conf. To address the issue.x. The configuration location for globally unique identifiers (GUIDs) has changed We have changed the location for the configuration of GUIDs for Splunk instances.

Here's an example: [monitor:///a/directory] whitelist = unclosed[class This stanza is invalid because the whitelist attribute has an invalid value assigned to it (the "unclosed[class" regular expression is missing the right bracket (])). To prevent this warning from occurring. Notable changes for those upgrading directly from version 4.conf to ensure that all your monitoring stanzas have valid values before starting the upgrade.0.3 to version 6 We have changed how Splunk handles invalid regular expressions in monitoring stanza filters For versions 5. In version 5. In version 5. instead of ignoring only the filter attribute with the invalid regular expression.2 and earlier.3.3 and later. you can use this attribute in any [<sourcetype>] stanzas as well. including version 4. This means that Splunk will not monitor whatever data that stanza references until you fix the error and restart Splunk.In props. 96 . Splunk ignores the [monitor:///a/directory] stanza.conf.Ignoring regular expression 'your_regex' in stanza 'your_stanza' due to 'error_message'.conf. Splunk warns you of any invalid regular expressions it detects. Splunk monitors the files in /a/directory while ignoring the whitelist attribute.Invalid regular expression: 'your_regex' in stanza 'your_stanza' due to: error_message.log. whitelist or blacklist) in a monitoring stanza. and prompts you to fix them before attempting to complete the migration. including version 6. When you upgrade.3 and later of Splunk.0. TailingProcessor .0. ignoring this stanza. check inputs. If you supply an invalid regular expression for a filter attribute (for example. logs an error in splunkd.0.0. the initCrcLength attribute is now valid for sourcetype stanzas Prior to Splunk 6. Now. you could only use the initCrcLength attribute in a [source::<source>] stanza type. Splunk now ignores the entire stanza as being invalid. we've changed how Splunk deals with improperly formatted regular expressions in monitoring stanza filter attributes in inputs. and does not monitor the files in /a/directory: TailingProcessor .

it might be removed in a future version.3 to version 6. This means that although it continues to function in version 6. but we include it here for users who plan to upgrade directly from version 4. Note: This change was originally introduced in Splunk 5. Forwarding method now defaults to auto-loadbalancing Splunk 6. but we include it here for users who plan to upgrade directly from version 4.0. This means that PDF printing no longer requires a Linux Splunk instance. As an alternative. • Use the auditd daemon on *nix systems and monitor output from the daemon.0 now makes auto-load balancing the default method of forwarding data to multiple indexers at one time. There are some things to pay attention to when upgrading.3 to version 6. Note: This change was originally introduced in Splunk 5.Note: This change was originally introduced in Splunk 5. but we include it here for users who plan to upgrade directly from version 4.3 did when monitoring files.0 of Splunk. 97 .0 of Splunk comes integrated PDF printing.0.0. We have deprecated the fschange monitor We have deprecated the fschange monitor input.0.3 to version 6. Splunk now offers integrated PDF printing With version 6.0.0 uses more file descriptors on *nix filesystems than version 4.particularly with regards to views that contain Advanced XML.0.0.3 to version 6. but we include it here for users who plan to upgrade directly from version 4.2. Splunk uses more *nix file descriptors Splunk 6.0. Additional information can be found in "Generate PDFs of your reports and dashboards" in the new Reporting Manual. Note: This feature was originally introduced in Splunk 5. however . you can: • Learn how to monitor file system changes on Windows systems.

there should be no impact to your configuration by this change. is now modular.0. 98 .conf.0. disk I/O) when they run. This helps increase its efficiency and removes the limit of 64 concurrent Event Log channels. we suggest that you review any .0. Be sure to read "Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade" in the Release Notes for a fix to this specific issue.3 or 5 to Version 6 can result in the unexpected collection of Windows data. Since the Windows Event Log input already uses inputs.Before you upgrade. The Windows Event Log input is now modular and has additional filtering capabilities The Windows event log input gets two new improvements: • The input.conf files post-upgrade as a precautionary measure. However. which until now had its own input processor. but we include it here for users who plan to upgrade directly from version 4.0. which can impact your licensing volume. Note: This change was originally introduced in Splunk 5. Splunk's database consistency checking utility (fsck) might use more system resources (in particular. Note: This change was originally introduced in Splunk 5. • Additionally. but we include it here for users who plan to upgrade directly from version 4. upgrading a Splunk universal forwarder from Versions 4.3 to version 6. particularly if bloom filters are being created at the same time. Splunk's database-checking utility might use more resources After you upgrade to 6.0. Windows-specific changes Upgrading a Windows universal forwarder can result in the collection of unwanted data under certain conditions Under certain conditions. consider increasing the number of open file descriptors your system can use with the ulimit command.3 to version 6. the input receives several new attributes which allow you to filter events based on their Windows Event IDs and suppress event log text.

There are also certain situations where, if you use a deployment server to control configurations, some versions of universal forwarder might collect duplicate events. See "Upgrade deployment servers and installed apps that use 6.0 stanzas might generate duplicate events" below for additional information. Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events In order to maintain interoperability, Splunk does not remove an old-style Windows Event Log stanza during an upgrade to version 6. Instead, it notifies you that you need to remove them yourself manually. This is particularly important for deployment servers or universal forwarders that host apps that use 6.0 style configuration file stanzas. When you upgrade, if you do not remove the old-style stanzas, Splunk might generate duplicate events. Splunk on Windows introduces three new inputs: Host, printer, and network monitoring New for version 6.0, Splunk introduces three new Windows-only modular inputs: Host monitoring, print monitoring, and network monitoring. Host monitoring allows you to collect information about a Windows system, including operating system build and version, system architecture and memory, running processes and services, and installed applications. Print monitoring lets you gather information on your printer subsystem, including installed printers, print drivers and ports, and also allows you to check print jobs. Network monitoring lets you collect information on the configuration and status of the networking subsystem on Windows computers. For additional information on these three new inputs, read the following topics in the Getting Data In Manual: • Monitor Windows host information • Monitor Windows print subsystem information • Monitor Windows network information Windows users now have a file monitoring input that does not use file handles

99

On Windows instances of Splunk only, a new file monitoring input, MonitorNoHandle allows users to monitor files without using system file handles. This addresses problems with cases where a file handle prevents a file from being closed properly, such as what occurs with Microsoft's DNS server logs when the DNS server attempts to roll them. The MonitorNoHandle input is only accessible by editing inputs.conf. You cannot enable this input with Splunk Web. The Windows Registry and Active Directory inputs are now modular In our ongoing efforts to streamline configuration files, we have made the Windows Registry monitor and Active Directory inputs modular. This means that, among other things, instead of using separate configuration files, these inputs now use inputs.conf for configuration. When you upgrade, settings will get migrated from the existing configuration files to inputs.conf. Splunk will migrate the following files during the upgrade: • Registry monitoring: regmon-filters.conf • Active Directory: admon.conf What happens after you upgrade: • Registry monitoring stanzas will appear in inputs.conf as [WinRegMon://<stanza name>]. • Active Directory stanzas will appear in inputs.conf as [admon://<stanza name>]. Be sure to review the updates to inputs.conf after the upgrade is complete. Active Directory monitoring time formats have changed The time stamp format that Splunk's Active Directory monitoring input logs in has changed. In Splunk 6.0 and later, AD monitoring inputs log events as follows:
pwdLastSet=07:03.12 pm, Mon 04/30/2012

If you use Active Directory monitoring inputs, you might be impacted by this change after you upgrade, particularly if you have configured alerts that rely on the old time stamp format.

100

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade There is no supported upgrade path from a Splunk 5.x system with enabled Secure Sockets Layer (SSL) certificates to a Splunk 6.0 system with FIPS enabled.

How Splunk Web procedures have changed from version 5 to version 6
This topic lists some of the major differences in the way you accomplish tasks in Splunk Web from previous versions to version 6.

What's changed?
The table below shows the major differences in Splunk Web process from previous versions of Splunk to version 6. Procedure/Task How you used to do it How you do it now In 6.x, Splunk launches with Home. In Home, you can access Apps directly, Add data, or access the Manage data page.

In 5.x, the Splunk launcher has two tabs: Welcome and First time login to Splunk Splunk Home. In Welcome, you can Add data and Launch search app.

Returning to Home

In 6.x, you click the In 5.x, to return to Splunk logo in the Home/Welcome you upper left of the selected the Home app from navigation bar. Doing the App menu. so always returns you to Home. In 5.x you accessed your account information (change full name, email address, default app, timezone, password) under Manager > Users and authentication > Your account.
101

Edit account information

In 6.x, you access it directly from the Splunk navigation under Administrator > Edit account.

x. community apps Search/? 5. you can only view the timeline if you're looking at the Events tab after you run a search. Search Reports Dashboards In the navigation bar.0. and how to migrate any existing apps to work with the new version. create a new app.Logout from Splunk In 5. you edited all objects and system configurations from the Manager page or from the "Administrator" link on the navigation bar. In 6. you use the App menu on the navigation bar or the options under the App panel from Home. When users upgrade to version 6 of Splunk: 102 . you access these configurations directly from the Settings menu. You can hide the timeline. the timeline was always visible as part of the dashboard after you ran a search.x. you select "Triggered Alerts" In 6.x. Find the timeline Changes for Splunk App developers If you develop apps for Splunk. Apps or selected from the or browse Splunkbase for App menu. We have removed support for FlashCharts in simple XML dashboards We no longer support using FlashCharts in simple XML dashboards. There is no separate Manager page.x. In 5. you clicked the "Logout" button on the navigation bar.x Summary.x -> 6.x. This change provides a more consistent dashboard user experience for iOS devices and when users need to create PDFs.x. Manager/Settings Manage Apps: Edit permissions for installed In 5.x. you selected "Alerts". read this topic to find out what changes we've made to how Splunk works with apps in version 6. In 5. Search Searches & Reports Dashboards & Views Find the list of alerts In the navigation bar. you used Manager -> apps.x. In 6. you select Administrator -> Logout In 6.

We have made changes to support for custom JavaScript and CSS Version 6 of Splunk gets a refactored rendering engine.0 can no longer be customized. • Users will need to manually migrate these chart options to the simple XML view configuration.0 now constrains AppBar customization to: color To set a color in the AppBar. • Users that are interested in persistence should save this in simple XML (<option name=height>300px</option>) We no longer allow Splunk's Search page to be restyled The new Search page in Splunk 6. • In addition. 103 .css files use no longer work after users upgrade. Splunk 6. dynamic chart resizing no longer persists beyond the page view. and as a result. as it does not load any custom JavaScript or CSS. logo If no logo file is found. edit the navigation menu default. but note that Splunk might render some charts differently in version 6.js and application. many of the function calls that the application. <nav color="#0072C6">).• Splunk will silently ignore any charting options that previously triggered the rendering of FlashCharts. We no longer support viewstates in simple XML We have removed Splunk's capability to support view states in simple XML.0 as a result. • No actionable requirement here. the app name is displayed instead. We have added restrictions to how you can style the AppBar For consistency between apps. This means that. when users upgrade: • Any chart options that were saved in viewstates will no longer be layered in dashboard rendering.xml (for example.

we now prohibit JavaScript within the default. While the product still contains Flash timeline. • You can control the loading of specific JavaScript and CSS files within the configuration of each simple XML dashboard.js stylesheet=my_stylesheet. • This includes references within navigation menu's default. and data models packaged within your app. We provide this access through via new listing pages for each of these objects (dashboards.xml file for dashboard navigation menus We no longer allow JavaScript to run in a dashboard's navigation menu. as well as dashboard. We have made new global pages available to add to your app Splunk 6. reports.js and application. when users upgrade: • Any app that has packaged the "Create new dashboard. • Instead. Splunk now has a new "search" view page Splunk 6.css automatically.css for Splunk 6.xml.css>). simple XML dashboards in Splunk 6 load dashboard. 104 .css for previous versions of Splunk. • This design approach allows you to use application. • It also includes references within any dashboard views (mainly for linkView options).0 introduces a new search page "search" as a replacement to the existing Flash timeline.• For app backward compatibility.js and dashboard. alerts. • You should remove this from your default. You control this using the top-level attributes (<dashboard script=my_script.js and application.. data_models). This means that. you should change all references to flashtimeline within an app to "search" instead.0. edit your navigation menu's default.xml configuration. For security purposes.0 and later. in Splunk 6.0 provides easier access to reports. • To add these views. dashboards.xml.. alerts.css automatically." link within their navigation menu (like the old search app) will find this to no longer work in Splunk 6. simple XML dashboards no longer load application.js and dashboard.

Splunk looked in $SPLUNK_HOME/etc/apps/<your_app>/appserver/static. splunkd now checks the inputs at specific intervals. In version 6. We have changed where Splunk looks for the icon files In versions of Splunk prior to 6.meta. To do this.meta with the object name [html]. edit default. We have introduced "Data Models" Splunk 6. and now supports dashboard views written entirely in HTML (by leveraging the new splunkjs library). and target specific apps. package them within $SPLUNK_HOME/etc/apps/<app_name>/default/data/models We have made changes to how Splunk works with custom HTML dashboards Splunk 6. You can choose whether or not you want to refactor your script to use this interval support.0 has added knowledge objects to be included in default.xml.xml and add the target view (<nav search_view="search">). You can add custom HTML dashboards by packaging them within $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/html and referencing them in default. To add data models to your apps. We have added interval support for modular inputs Prior to version 6.We have added the ability to run search queries from the Home page for your app Splunk 6. You can allow end-users to directly target your app by configuring your app's navigation menu default.0 introduces data models that you can package within your apps. When users Splunk then looks in $SPLUNK_HOME/etc/apps/<your_app>/static. 105 .0. Splunk invoked any configured modular inputs when the Splunk daemon started. upgrade.0 enables end-users to run a search query from within the Home page.

must be no more than 40 pixels (80 pixels for the high resolution version). 106 . • The file names for these higher-resolution icons and logos must be appLogo_2x. but: ♦ Its height. however. • Your application logo has the following additional specifications: ♦ The background must be transparent. square or round.png and appIcon_2x. some leeway to go into the margin area. particularly if the logo has any bits that stick up or down or it's particularly complex. ♦ There is. you must now use higher resolution icons and/or logos alongside the standard size icons and logos. there must be a margin of at least 10 pixels on the top and bottom sides (20 pixels for the high resolution version) which leaves a maximum of 20 pixels of height available for your logo. • When packaging your application icons and logos.We now require higher-resolution application logos and icons In order to support displays with pixel density ratio of greater than 1:1 (as is the case for systems like the MacBook Pro with Retina Display). ♦ Its width can vary.png. ♦ Within this 40-pixel limit. with margins. put them in $SPLUNK_HOME/etc/apps/<app_name>/static.

3.x or 5. 107 .0 on UNIX This topic describes the procedure for upgrading your Splunk instance from versions 4.Upgrade to 6.0.x or later to 6.0.

x and later.Before you upgrade Make sure you've read this information before proceeding. including Splunk configurations. Use GNU tar (gtar) to avoid this problem. read "Back up configuration information" in the Admin manual. Note: AIX tar will fail to correctly overwrite files when run as a user other than root. Execute the $SPLUNK_HOME/bin/splunk stop command. You can run the migration preview utility at that time to see what will be changed before the files are updated. a file containing the changes that the upgrade script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration. This overwrites and replaces matching files but does not remove unique files. 2. just reinstall it.3. 108 . install the Splunk package over your existing Splunk deployment: • If you are using a . For information on backing up configurations.log. Splunk does not provide a means of downgrading to previous versions. To upgrade and migrate from version 4. How upgrading works After performing the installation of the new version. If you choose to view the changes before proceeding. and binaries. Important: Make sure no other processes will start Splunk automatically (such as Solaris SMF). we strongly recommend that you back up all of your files. Splunk does not actually make changes to your configuration until after you restart it.<timestamp> Steps for upgrading 1.tar file. indexed data. For information on backing up data. as well as the following: Back your files up Before you perform the upgrade. expand it into the same directory with the same ownership as your existing Splunk instance. read "Back up indexed data" in the Managing Indexers and Clusters Manual. if you need to revert to an older Splunk release.

Deprecated configuration files will be renamed with a .dmg file (on Mac OS X). Note: You can complete Steps 3 to 5 in one line: To accept the license and view the expected changes (answer 'n') before continuing the upgrade: 109 . If you choose to view the expected changes. the script provides a list. run $SPLUNK_HOME/bin/splunk start again.deprecated extension.rpm • If you are using a . The following output is displayed: This appears to be an upgrade of Splunk. Splunk's installer will automatically update and alter your current configuration files. Execute the $SPLUNK_HOME/bin/splunk start command. choose 'n'. To finish upgrading to the new version. double-click it and follow the instructions. Perform migration and upgrade without previewing configuration changes? [y/n] 4. Once you've reviewed these changes and are ready to proceed with migration and upgrade. 5. choose 'y'. or proceed with the migration and upgrade right away. Be sure to specify the same installation directory as your existing installation. such as RPM. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files. -------------------------------------------------------------------------------Splunk has detected an older version of Splunk installed on this machine. If you want to see what changes will be made before you proceed with the upgrade. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files.• If you are using a package manager. 6. type rpm -U splunk_package_name. 3.

0.0 on Windows This topic describes the procedure for upgrading your Windows Splunk instance from versions 4. just reinstall it. If you do not specify the same user. if you need to revert to an older Splunk release. 110 . indexed data and binaries. use these instructions to switch to the correct user before starting Splunk. including Splunk configurations. as well as the following: Make sure you specify the same domain user When upgrading. we strongly recommend that you back up all of your files. If you accidentally specify the wrong user during your installation. you must explicitly specify the same domain user that you specified during first time install. Before you upgrade Make sure you've read this information before proceeding. Don't change the ports Splunk does not support changing the management port and/or the HTTP port when upgrading.x and later to 6.$SPLUNK_HOME/bin/splunk start --accept-license --answer-no To accept the license and begin the upgrade without viewing the changes (answer 'y'): $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes Upgrade to 6.0. Splunk does not provide a means of downgrading to previous versions. or by running the msiexec utility on the command line as described in "Install on Windows via the command line". Splunk will default to using the Local System User. Back your files up Before you perform the upgrade.3. You can upgrade using the GUI installer.x or 5.

make sure to back them up before you upgrade. Download the new MSI file from the Splunk download page. you must uninstall version 6 of Splunk and then reinstall the previous version of Splunk that you were using. you can copy them back into %SPLUNK_HOME%\etc\auth to restore them. Upgrade using the command line 1. 4. restart Splunk. Double-click the MSI file. For information about each panel. Download the new MSI file from the Splunk download page. 2. Note: When you upgrade to Splunk 6. If you have custom CA files. read "Back up indexed data" in the Managing Indexers and Clusters Manual. After the upgrade.0 on Windows. 111 .For information on backing up data. Upgrade using the GUI installer 1. Stop Splunk by either using the Services control panel or executing the %SPLUNK_HOME%\bin\splunk stop command. The Welcome panel is displayed. Splunk will start up by default when you complete the installation. refer to the installation instructions. Follow the on-screen instructions to upgrade Splunk. 3. the installer overwrites any custom certificate authority (CA) certificates you have created in %SPLUNK_HOME%\etc\auth. Stop Splunk either by using the Services control panel or executing the %SPLUNK_HOME%\bin\splunk stop command. Do not attempt to install over a Splunk 6 installation with an installer from a previous version. read "Back up configuration information" in the Admin manual. Don't attempt to downgrade after you've upgraded After you upgrade Splunk to version 6. A log of the changes made to your configuration files during the upgrade is placed in %TEMP%. 2. After you have restored the certificates. For information on backing up configurations. if you need to downgrade. Doing so can result in a corrupt instance and data loss.

Start Splunk On Windows. while maintaining the indexed data. stop. Use the instructions in "Install on Windows via the command line". architecture. • You can use the LAUNCHSPLUNK flag to specify whether Splunk should start up automatically or not when you're finished. and restart both processes at once by going to %SYSTEMDRIVE%\Program Files\Splunk\bin and typing # splunk [start|stop|restart] Migrate a Splunk instance This topic discusses the procedure for migrating a Splunk instance from one server. configurations. • DO NOT change the ports (SPLUNKD_PORT and WEB_PORT) at this time. You can start and stop the following Splunk processes via the Windows Services control panel: • Server process: splunkd • Web interface process: splunkweb You can also start. which is merely installing a new version on top of an older one (though. Depending on your specification. This is different than upgrading an instance. A log of the changes made to your configuration files during the upgrade is placed in %TEMP%. Splunk is installed by default into %SYSTEMDRIVE%\Program Files\Splunk and is started by default. 4. or filesystem to another. operating system. and users. Splunk may start automatically when you complete the installation. you must explicitly specify this user in your command-line instruction. but you cannot change any other settings. 112 .3. • If Splunk is running as a user other than the Local System user. an upgrade is a form of migration).

are the same endianness of the operating system that created them. there are some important considerations to note when doing so. • You are switching operating systems (for example. • Your Splunk installation is on a system architecture that you plan to no longer support. 113 . These operating systems create binary files of the same endianness. For a listing of processor architectures and the endianness they use. refer to the Endianness article on Wikipedia. Some operating systems are big-endian (meaning they store the most significant byte of a binary file first). and you wish to move it to a 64-bit architecture for better performance. the index files that comprise that data are sensitive to an operating system's endianness. be sure to note: Endianness If you indexed data with a version of Splunk earlier than 4. What to consider when migrating While migrating a Splunk instance is simple in many cases. version. • Your Splunk installation is on 32-bit architecture. for versions of Splunk earlier than 4. which is the way the system organizes the individual bytes of a binary file (or other data structure). • Your Splunk installation is on an operating system that either your organization or Splunk no longer supports. from *nix to Windows or vice versa) • You want to move your Splunk installation to a different file system. you might need to consider more than one of these items at a time. When migrating a Splunk instance. Index bucket files are binary. and architecture of the systems involved in the migration.2. and others are little-endian (meaning they store the least significant byte first). and you want to move it to an operating system that is supported.2.When to migrate There are a number of reasons to migrate a Splunk install: • Your Splunk installation is on a server that you wish to retire or reuse for another purpose. and you want to move it to an architecture that you do support. Depending on the type. and thus.

2 and later do not have problems with endianness. and can take an extremely long amount of time. Differences in Windows and Unix path separators The path separator (the character used to separate individual directory elements of a path) on *nix and Windows is different. This includes but is not limited to the following: • Ensure that the file system and/or share permissions on the target server are correct and allow access for the user that runs Splunk.conf) to use the correct path separator.) If you can't move index between systems with the same endianness (for example. we strongly suggest that you consult Splunk's Professional Services team for assistance. you can retire the big-endian system. Read "Export and import index data between systems using exporttool/importtool" in this topic for additional information.2 Splunk instance. then import the CSV data into the little-endian system with the importtool CLI command. You must also make sure that you update any Splunk configuration files (in particular. • You can move the data by forwarding it from the big-endian system to the little-endian system. Then. you must transfer index files between systems with the same kind of endianness (for example. • You can export the data from the big-endian system using Splunk's exporttool CLI command to comma-separated values (CSV) file. make sure that the destination server has the same rights assigned to it that the source server does.When you migrate a pre-4. depending on how much data needs to be transferred. If you want to use this method. then you must use alternative methods to move the data. When moving index files between these operating systems. once you have forwarded all the data. Index files created by Splunk versions 4. indexes. when you want to move from a system that's big-endian to a system that's little-endian). you must make sure that the path separator you use is correct for the operating system you want to move the Splunk installation to. 114 . Caution: This is an advanced procedure. in order for the destination system to be able to read the migrated data. a NetBSD system running on a SPARC processor to a Linux system also running on a SPARC processor. Windows permissions When moving a Splunk instance between Windows servers.

3. How to migrate To migrate your system from one version of Splunk to another. Stop Splunk on the server from which you want to migrate. Distributed and clustered Splunk environments When you want to migrate data on a distributed Splunk instance (that is. 2. Copy the entire contents of the $SPLUNK_HOME directory from the old server to the new server. you must make sure that the individual buckets within those indexes have bucket IDs which do not collide. When copying index data. you might experience degraded search performance on the new server due to the larger files that the 64-bit operating system and Splunk instance created. Install the appropriate version of Splunk for the target platform. Important: Be sure to note any considerations above which might apply to you when copying the files. Splunk will not start if it encounters indexes with buckets that have colliding bucket IDs. that the user is a member of the local Administrators group and has the appropriate Local Security Policy or Domain Policy rights assigned to it by a Group Policy object Architecture changes If you downgrade the architecture that your Splunk instance runs on (for example. the you should remove the instance from the distributed environment before attempting to migrate it. you might need to rename the copied bucket files in order to prevent this condition. 64-bit to 32-bit). Bucket IDs and potential bucket collision If you migrate a Splunk instance to another Splunk instance that already has existing indexes with identical names.• If Splunk runs as an account other than the Local System user. 115 . or a search head that's been configured to search indexers for data). an indexer that is part of a group of servers that a search head has been configured to search for events. follow these instructions: 1.

You should be able to log in with your existing credentials. • You are not trying to restore a bucket created by a 4. you can extract the tar file you downloaded directly over the copied files on the new system. Confirm that index configuration files (indexes.conf) contain the correct location and path specification for any non-default indexes. On the target system. To move a bucket from one server to another: 1. 3. 2. Roll any hot buckets on the source system from hot to warm. Note: Review indexes. You might need 116 . you can move individual buckets of an index between servers. 5. Start Splunk on the new Splunk instance. as long as: • The source and target systems have the same endianness.2. • On Windows systems. Splunk detects whether you are migrating and prompts you on whether or not to upgrade at this time.conf on the old system to get a list of the indexes on that system. Splunk will not start. the installer updates the Splunk files automatically. Otherwise.Note: • On *nix systems. you must make sure that no bucket IDs conflict on the new system. Note: On *nix systems. Note: When copying individual bucket files. Once logged in. create index(es) that are identical to the ones on the source system. 4. 7. How to move index buckets from one server to another If you're retiring a Splunk server and immediately moving the data to another Splunk server. or use your package manager to upgrade using the downloaded package. Log into Splunk.2 or greater version of Splunk to a version of Splunk less than 4. Copy the index buckets from the source system to the target system. 6. confirm that your data is intact by searching it.

Old licenses Migrating from an older version most likely puts you in one of these two categories: • If you are currently running Splunk 4. Splunk also recommends you review the migration documentation before proceeding with the migration. Migrate to the new Splunk licenser This topic discusses how to migrate your license configuration from a pre-4. • Read "Groups. first to 4. Before you proceed. this will enable Enterprise 117 . Splunk recommends adding your search heads to an established Enterprise license pool.to rename individual bucket directories after you move them from the source system to the target system. Before you proceed.2+ licenser model. pools. they will be automatically converted to be in the Download-trial group. and other terminology" in the Admin manual for more information about Splunk license terms.0.0 or later. Even if they have no indexing volume. 4. your license will work in 4. Migrating search heads If your search heads were previously using old forwarder licenses. you might want to review these topics: • Read "How Splunk licensing works" in the Admin manual for an introduction to Splunk licensing. you must contact your Splunk Sales representative and arrange for a new license. then 4.2 and later. 4.2.0+) to maintain your configurations. Note: This topic does not cover upgrade of an entire Splunk deployment. you might want to migrate in multiple steps (for example. stacks. Review "How to upgrade Splunk" in the Installation Manual before you upgrade your Splunk deployment. and finally 5. • If you're migrating from a version older than 4.1. Restart Splunk.0. Depending on how old your version of Splunk is.2 Splunk deployment to the 4.

Follow the instructions in the Installation Manual for your platform.1. following the standard instructions in the Installation Manual.license on each indexer) and install it onto the license master. adding it to the stack and pool to which you want to add the indexer. • Configure the indexer as a license slave and point it at the license master. and will show up as a valid stack. follow these high-level steps in this order to migrate the deployment: 1. with the indexer as a member of the default pool. Migrate a distributed indexing deployment If you've got multiple 4. confirm that the license slave is connecting as expected by navigating to Manager > Licensing and looking at the list of indexers associated with the appropriate pool.x indexers. following the same steps.2 license files are located in $SPLUNK_HOME/etc/splunk. 2. • Once you've confirmed the license slave is connecting as expected. this is likely a good choice. each with their own licenses. 3. Your existing license will work with the new licenser.0 following the instructions in the Installation Manual. Upgrade each indexer one at a time. and be sure to read the "READ THIS FIRST" documentation first.1. • Make a copy of the indexer's Enterprise license file (pre-4.features. 118 . • On the license master. If you've got a search head. It will be operating as a stand-alone license master until you perform the following steps. you can just proceed as normal with your upgrade. Install or upgrade the Splunk instance you have chosen to be the license master. Migrate a standalone instance If you've got a single 4. especially alerting and authentication. 4. Designate one of your Splunk instances as the license master. Configure the license master to accept connections from the indexers as desired.x Splunk indexer and it has a single license installed on it. following these steps: • Upgrade an indexer to 5. proceed to upgrade the next indexer.

review the information in this chapter about the universal forwarder in the Forwarding Data Manual.Migrate forwarders If you have deployed light forwarders. If you have deployed a heavy forwarder (a full instance of Splunk that performs indexing before forwarding to another Splunk instance). no licensing configuration is required--the universal forwarder includes its own license. You can upgrade your existing light forwarders to the universal forwarders. you can treat it like an indexer--add it to a license pool along with the other indexers. 119 .

the default installation directory is /opt/splunk. it is /Applications/splunk. RedHat Linux To uninstall Splunk on RedHat: rpm -e splunk_product_name Debian Linux To uninstall Splunk on Debian: dpkg -r splunk To purge (delete everything. On Windows. Note: $SPLUNK_HOME refers to the Splunk installation directory. for Mac OS. this is C:\Program Files\Splunk by default. files that were not originally installed by the package will be retained. Before you uninstall. For most Unix platforms. including configuration files) on Debian: dpkg -P splunk 120 . These files include your configuration and index files which are under your installation directory. Navigate to $SPLUNK_HOME/bin and type . stop Splunk./splunk stop (or just splunk stop on Windows).Uninstall Splunk Enterprise Uninstall Splunk This topic discusses how to remove Splunk from your system. Uninstall Splunk with your package management utilities Use your local package management commands to uninstall Splunk. In most cases.

Note: The $SPLUNK_HOME variable refers to the directory where you installed Splunk. you must delete those directories as well. disable boot-start (if you configured it). 121 . you must stop Splunk. run the following command as root: $SPLUNK_HOME/bin/splunk disable boot-start 3. Stop Splunk: $SPLUNK_HOME/bin/splunk stop 2.FreeBSD To uninstall Splunk from the default location on FreeBSD: pkg_delete splunk To uninstall Splunk from a different location on FreeBSD: pkg_delete -p /usr/splunk splunk Solaris To uninstall Splunk on Solaris: pkgrm splunk HP-UX To uninstall Splunk on HP-UX. If you enabled boot-start. Delete the Splunk installation directories: rm -rf $SPLUNK_HOME Other things you may want to delete: • If you created any indexes and did not use the Splunk default path. and then delete the Splunk installation. 1.

msi Note: Under some circumstances. $SPLUNK_HOME/bin/splunk stop 2. that option is available under Programs and Features. Stop Splunk. you should also delete them. Note: These instructions will not remove any init scripts that have been created. Find and kill any lingering processes that contain "splunk" in its name. 1. You can safely ignore this request without rebooting.• If you created a user or group for running Splunk. Windows To uninstall Splunk on Windows: Use the Add or Remove Programs option in the Control Panel.}'` For FreeBSD and Mac OS 122 . Uninstall Splunk manually If you can't use package management commands. In Windows 7 and Windows Server 2008. use these instructions to uninstall Splunk. For Linux and Solaris: kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2. You can also uninstall Splunk from the command line by using the msiexec executable against the Splunk installer package: C:\> msiexec /x splunk-<version>-x64. the Microsoft installer might present a reboot prompt during the uninstall process.

Remove the Splunk installation directory.}'` 3. if they exist. For Windows: Open a command prompt and run the command msiexec /x against the msi package that you installed.kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1. $SPLUNK_HOME. you can also remove the installation directory by dragging the folder into the trash. and FreeBSD: userdel splunk groupdel splunk For Mac OS: You can use the System Preferences > Accounts panel to manage users and groups. 3. if they exist. Solaris. rm -rf /opt/splunkdata 4. Remove any Splunk datastore or indexes outside the top-level directory. For example: rm -rf /opt/splunk Note: For Mac OS. 123 . For Linux. Delete the splunk user and group.

-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v1.Reference PGP Public Key Following is the Pretty Good Privacy (PGP) public key for Splunk. Install the key using: rpm --import <filename> 124 .1 (GNU/Linux) mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF 2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7 pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/ J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR 5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm 6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7 SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+ EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG 3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96 4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77 kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9 ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng p4s= =Mz6T -----END PGP PUBLIC KEY BLOCK----- Installing the key Copy and paste the key into a file.4.

Sign up to vote on this title
UsefulNot useful