You are on page 1of 127

Splunk Enterprise 6.

0
Installation Manual
Generated: 11/05/2013 12:28 pm

Copyright (c) 2013 Splunk Inc. All Rights Reserved

Table of Contents
Welcome to the Splunk Enterprise Installation Manual...................................1 What's in this manual................................................................................1 Plan your Splunk Enterprise installation...........................................................2 Installation overview..................................................................................2 System requirements.................................................................................3 Components of a Splunk deployment.....................................................10 Estimate your storage requirements.......................................................11 Splunk architecture and processes.........................................................13 Information on Windows third-party binaries distributed with Splunk......16 Step-by-step installation instructions .......................................................19 Secure your Splunk installation...............................................................19 Estimate hardware requirements.....................................................................20 Hardware capacity planning for your Splunk deployment........................20 How incoming data affects Splunk performance.....................................22 How indexed data impacts Splunk performance.....................................23 How the number of concurrent users impacts Splunk performance.......23 How saved searches affect Splunk performance....................................24 How search types impact Splunk performance.......................................24 How Splunk apps affect Splunk performance.........................................26 How Splunk calculates disk storage ........................................................26 Reference hardware ................................................................................27 Performance questionnaire.....................................................................29 Summary of performance recommendations..........................................32 Install Splunk Enterprise on Windows .............................................................34 Choose the Windows user Splunk should run as .....................................34 Prepare your Windows network for a Splunk installation as a network or domain user.........................................................................................38 Install on Windows..................................................................................46 Install on Windows via the command line...............................................50 Correct the user selected during Windows installation............................58 Install Splunk Enterprise on Unix, Linux or Mac OS X...................................60 Install on Linux........................................................................................60 Install on Solaris......................................................................................63 Install on Mac OS....................................................................................67 Install on FreeBSD..................................................................................71
i

Table of Contents
Install Splunk Enterprise on Unix, Linux or Mac OS X Install on AIX...........................................................................................75 Install on HP-UX ......................................................................................77 Run Splunk as a different or non-root user.............................................79 Start using Splunk Enterprise..........................................................................82 Start Splunk for the first time...................................................................82 What happens next?................................................................................84 Learn about Splunk's accessibility..........................................................85 Install a Splunk Enterprise license ...................................................................87 About Splunk licenses.............................................................................87 Install a license ........................................................................................87 Upgrade or migrate Splunk Enterprise............................................................90 How to upgrade Splunk...........................................................................90 About Upgrading to 6.0 - READ THIS FIRST.........................................92 How Splunk Web procedures have changed from version 5 to version 6 .................................................................................................101 Changes for Splunk App developers .....................................................102 Upgrade to 6.0 on UNIX........................................................................107 Upgrade to 6.0 on Windows..................................................................110 Migrate a Splunk instance.....................................................................112 Migrate to the new Splunk licenser.......................................................117 Uninstall Splunk Enterprise............................................................................120 Uninstall Splunk....................................................................................120 Reference ..........................................................................................................124 PGP Public Key .....................................................................................124

ii

Welcome to the Splunk Enterprise Installation Manual


What's in this manual
Use the Installation Manual to learn how to install Splunk Enterprise. In this manual, you can find: System requirements Licensing information Procedures for installing Procedures for upgrading from a previous version ...and more. Note: If you want to install the Splunk universal forwarder, read "Universal forwarder deployment overview" in the Forwarding Data Manual. Unlike Splunk heavy and light forwarders, which are full Splunk Enterprise instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving".

Find what you need


You can use the table of contents to the left of this panel, or simply search for what you want in the search box in the upper right. If you're interested in more specific scenarios and best practices, you can visit the Splunk Community Wiki to see how other users Splunk IT. Make a PDF If you'd like a PDF of any version of this manual, click the red Download as PDF link below the table of contents on the left side of this page. A PDF version of the manual is generated on the fly for you, and you can save it or print it out to read later.

Plan your Splunk Enterprise installation


Installation overview
This topic discusses the basic steps required to install Splunk on a computer. We strongly suggest that you read this topic and the contents of this chapter first before performing an installation.

Installation basics
The following list provides general guidance on how to install Splunk: 1. Review the system requirements for installation. Specific additional requirements might apply based on the operating system you install Splunk on, and how you plan to use Splunk. 2. Read "Components of a Splunk deployment" to learn about Splunk's ecosystem, and "Splunk architecture and processes" to learn what the Splunk installer puts on your computer. 3. Download the correct installation package for your system from the Splunk download page. 4. Perform the installation using the step-by-step installation instructions for your operating system. 5. If this is the first time you have installed Splunk, you might want to consider reading the Splunk Search Tutorial to learn how to index data into Splunk and search that data using Splunk's search language. 6. After you've installed Splunk, you can calculate how much space you need to index your data. Read "Estimate your storage requirements" for additional information. 7. If you plan to run Splunk in a production environment, review "Hardware capacity planning for your Splunk deployment" in this manual for insight into the amount of hardware a Splunk deployment requires.

Upgrading or migrating a Splunk instance?


If you're upgrading from an earlier version of Splunk, read "How to upgrade Splunk" in this manual for information and specific instructions. If you want to know how to migrate a Splunk instance from one system to another, read "Migrate a Splunk instance" in this manual.

System requirements
Before you download and install the Splunk software, read this topic to learn which computing environments Splunk supports. Refer to the download page for the latest version to download. Check the release notes for details on known and resolved issues. For a discussion of hardware planning for deployment, review "Hardware capacity planning for your Splunk deployment" in this manual. If you have ideas or requests for new features to add to future releases, get in touch with Splunk Support. You can also review our product road map.

Supported OSes
Important: Read the following tables carefully when researching the system requirements. Splunk availability has changed significantly from previous versions. The tables below list the computing platforms that Splunk is available for. To find out whether or not Splunk is available for your platform: 1. Find the operating system you wish to install Splunk on in the left column. 2. Then, read across to find the appropriate computing architecture in the center column that best matches your environment. The tables show availability for two different types of Splunk, as shown in the two columns on the right: Splunk Enterprise/Trial, and Splunk Universal Forwarder. An 'x' in the box that intersects your computing platform and desired Splunk type means that Splunk is available for that platform. An empty box
3

means that Splunk is not available for that platform. Some boxes have characters in addition to - or instead of - an 'x'. Refer to the bottom of the tables to find out what the additional characters represent. Unix operating systems Operating system Architecture x86 (64-bit) Solaris 8* and 9 SPARC x86 (32-bit) Solaris 10 and 11* x86 (64-bit) SPARC x86 (32-bit) Linux, 2.4+ with x86 (64-bit) Native POSIX Thread Library x86 (32-bit) Linux, 2.6+ Linux, 3.0+ PowerLinux, 2.6+ FreeBSD 7** and 8 Mac OS X 10.7 and 10.8 AIX 5.3 AIX 6.1 and 7.1 HP/UX? 11i v2 and 11i v3 x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) PowerPC x86 (64-bit) x86 (32-bit) Intel PowerPC PowerPC Itanium x x x x x x x x x x* x x* Enterprise / Trial Universal Forwarder x x x* x* x x*

x x x x x x x x x x x x

PA-RISC x * Solaris 8 does not support 64-bit Splunk installs. Also, Solaris 11 does not support 32-bit Splunk installs. ** Be sure to read important notes on FreeBSD 7 below.
4

? You must use gnu tar to unpack the HP/UX installation archive. Windows operating systems The table below lists the Windows computing platforms that Splunk is available for. Operating system Architecture Enterprise / Trial x x*** x x*** x Universal Forwarder x x*** x x*** x x x*** x x*** x x x*** x x*** x

Windows Server x86 (64-bit) 2003 and Server x86 (32-bit) 2003 R2 Windows Server x86 (64-bit) 2008 and Server x86 (32-bit) 2008 R2 Windows Server x86 (64-bit) 2012 Windows XP Windows Vista Windows 7 Windows 8 x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) x86 (64-bit) x86 (32-bit) x86 (64-bit)

x86 (32-bit) x x *** This version of Splunk is supported but is not recommended on this platform and architecture. Splunk Enterprise is not available on this platform. However, Splunk Trial and Splunk Universal Forwarder are available. Operating system notes and additional information
Windows

Certain parts of Splunk on Windows require elevated user permissions to function properly. For additional information about what is required, read the following topics:

"Splunk architecture and processes" in this manual. "Choose the user Splunk should run as" in this manual. "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual.
FreeBSD 7.x

To run Splunk 6.x on 32-bit FreeBSD 7.x, install the compat6x libraries. Splunk Support will supply "best effort" support for users running on FreeBSD 7.x. For more information, refer to "Install Splunk on FreeBSD 7" in the Community Wiki. Deprecated operating systems and features As we continue to version the Splunk product, we gradually deprecate support of older operating systems. Be sure to read "Deprecated features" in the Release Notes for information on which platforms and features have been deprecated or removed entirely. Creating and editing configuration files on non-UTF-8 OSes Splunk expects configuration files to be in ASCII or Universal Character Set Transformation Format-8-bit (UTF-8) format. If you edit or create a configuration file on an OS that does not use UTF-8 character set encoding, then you must ensure that the editor you are using is configured to save in ASCII/UTF-8. IPv6 platform support All Splunk-supported OS platforms are supported for use with IPv6 configurations except for the following: AIX HP/UX on PA-RISC architecture Solaris 9 Refer to "Configure Splunk for IPv6" in the Admin Manual for details on Splunk IPv6 support.

Supported browsers
Splunk supports the following browsers: Firefox 10.x and latest Internet Explorer 7, 8, 9, and 10
6

Safari (latest) Chrome (latest) You should also make sure you have the latest version of Adobe Flash installed to render any charts that use options not supported by the JSChart module. For more information about this subject, see "About JSChart" in the Splunk Data Visualizations Manual.

Recommended hardware
Splunk is a high-performance application. If you are performing a comprehensive evaluation of Splunk for production deployment, we recommend that you use hardware typical of your production environment. This hardware should meet or exceed the recommended hardware capacity specifications below. For a discussion of hardware planning for production deployment, see "Hardware capacity planning for your Splunk deployment" in this manual. Splunk and virtual machines If you run Splunk in a virtual machine (VM) on any platform, performance does degrade. This is because virtualization works by abstracting the hardware on a system into resource pools from which VMs defined on the system draw as needed. Splunk needs sustained access to a number of resources, particularly disk I/O, for indexing operations. Running Splunk in a VM or alongside other VMs can cause reduced indexing performance. Recommended and minimum hardware capacity Minimum supported hardware capacity

Platform

Recommended hardware capacity/configuration

Non-Windows platforms Windows platforms

2x six-core, 2+ GHz CPU, 12 GB RAM, 1x1.4 GHz CPU, Redundant Array of Independent Disks 1 GB RAM (RAID) 0 or 1+0, with a 64 bit OS installed. 2x six-core, 2+ GHz CPU, 12 GB RAM, RAID 0 or 1+0, with a 64 bit OS installed.

Pentium 4 or equivalent at 2 GHz, 2 GB RAM Note: RAID 0 configurations do not provide fault-tolerance. Be certain that a RAID 0 configuration meets your data reliability needs before deploying a Splunk indexer on a system configured with RAID 0.
7

All configurations other than universal and light forwarder instances require at least the recommended hardware configuration. The minimum supported hardware guidelines are designed for personal use of Splunk. The requirements for Splunk in a production environment are significantly higher. Important: For all installations, including forwarders, you must have a minimum of 5 GB of hard disk space available in addition to the space required for any indexes. Refer to "Estimate your storage requirements" in this manual for additional information. Hardware requirements for universal and light forwarders Recommended Dual-core 1.5 GHz+ processor, 1 GB+ RAM Minimum 1.0 Ghz processor, 512 MB RAM

Supported file systems


Platform Linux Solaris FreeBSD AIX HP-UX File systems ext2/3/4, reiser3, XFS, NFS 3/4 UFS, ZFS, VXFS, NFS 3/4 FFS, UFS, NFS 3/4, ZFS JFS, JFS2, NFS 3/4 VXFS, NFS 3/4

Mac OS X HFS, NFS 3/4

Windows NTFS, FAT32 Note: If you run Splunk on a filesystem that is not listed above, Splunk might run a startup utility named locktest to test the viability of a filesystem for running Splunk. Locktest is a program that tests the start up process. If locktest runs and fails, then the filesystem is not suitable for running Splunk. Considerations regarding file descriptors (FDs) on *nix systems Splunk allocates file descriptors on *nix systems for actively monitored files, forwarder connections, deployment clients, users running searches, and so on. Usually, the default file descriptor limit (controlled by the ulimit command on a *nix-based OS) is 1024. Your Splunk administrator should determine the correct level, but it should be at least 8192. Even if Splunk allocates just a single file descriptor for each of the activities above, it?s easy to see how a few hundred
8

files being monitored, a few hundred forwarders sending data, a handful of very active users on top of reading/writing to/from the datastore can easily exhaust the default setting. The more tasks your Splunk instance is doing, the more FDs it will need, so you should increase the ulimit value if you start to see your instance run into problems with low FD limits. For more information, read about ulimit in the Troubleshooting Manual. This consideration is not applicable to Windows-based systems. Considerations regarding Network File System (NFS) When choosing to use Network File System (NFS) as a storage medium for Splunk indexing, it is important to consider all of the ramifications of file level storage. Splunk strongly recommends that you use block level storage rather than file level storage for indexing your data. In environments with reliable, very high-bandwidth low-latency links, or with vendors that provide high-availability, clustered network storage, NFS can be an appropriate choice. However, customers who plan to choose this strategy should work closely with their hardware vendor to confirm that the storage platform they choose performs to the desired specification in terms of both performance and data integrity. If you choose to use NFS, note the following caveats: Splunk does not support "soft" NFS mounts (mounts which cause a program attempting a file operation on the mount to report an error and continue in case of a failure). Only "hard" NFS mounts - mounts where the client continues to attempt to contact the server in case of a failure) are reliable with Splunk. Do not disable attribute caching. If you have other applications which require disabling or reducing attribute caching, then you must provide Splunk a separate mount with attribute caching enabled. Do not use NFS mounts over a wide area network (WAN). Doing so causes performance issues and can potentially lead to data loss.

Considerations regarding solid state drives Solid state drives (SSDs) deliver significant performance gains over conventional hard drives for Splunk in "rare" searches - searches that request small sets of results over large swaths of data - when used in combination with bloom filters. They also deliver performance gains with concurrent searches overall.

Supported server hardware architectures


32 and 64-bit architectures are supported for some platforms. See the download page for details.

Components of a Splunk deployment


Splunk is simple to deploy by design. By using a single software component and easy to understand configurations, Splunk can coexist with existing infrastructure or be deployed as a universal platform for accessing IT data. The simplest deployment is the one you get by default when you install Splunk: indexing and searching on the same server. Data comes in from the sources you've configured, and you log into Splunk Web or the CLI on this same server to search, monitor, alert, and report on your IT data. Depending on your needs, you can also deploy components of Splunk on different servers to address your load and availability requirements. This section introduces the types of components. For a more thorough introduction, see the Distributed Deployment manual, particularly the topic, "Scale your deployment: Splunk components".

Indexer
Splunk indexers, or index servers, provide indexing capability for local and remote data and host the primary Splunk datastore, as well as Splunk Web. Refer to "How indexing works" in the Managing Indexers and Clusters manual for more information. Search peer A search peer is an indexer that services requests from search heads in a distributed search deployment. Search peers are also sometimes referred to as indexer nodes.
10

Search head
A search head is a Splunk instance configured to distribute searches to indexers, or search peers. Search heads can be either dedicated or not, depending on whether they also perform indexing. Dedicated search heads don't have any indexes of their own (other than the usual internal indexes). Instead, they consolidate results that originate from remote search peers. See "What is distributed search" in the Distributed Search Manual to configure a search head to search across a pool of indexers.

Forwarder
Forwarders are Splunk instances that forward data to remote indexers for indexing and storage. In most cases, they do not index data themselves. Refer to the "About forwarding and receiving" topic in the Forwarding Data manual.

Deployment server
Both indexers and forwarders can also act as deployment servers. A deployment server distributes configuration information to running instances of Splunk via a push mechanism which is enabled through configuration. Refer to "About deployment server" in the Updating Splunk Instances manual for additional information about the deployment server.

Functions at a glance
Functions Indexing Web Direct search Forward to indexer Deploy configurations x Indexer Search head Forwarder x x x x x x Deployment server

Estimate your storage requirements

11

This topic describes how to estimate the size of your Splunk index, so that you can plan your storage capacity requirements. When Splunk indexes your data, it creates two main types of files: the "rawdata" file that contains the original data in compressed form and the index files that point to this data. (It also creates a few metadata files, which don't consume much space.) With a little experimentation, you can estimate how much index disk space you will need for a given amount of incoming data. Typically, the compressed rawdata file is approximately 10% the size of the incoming, pre-indexed raw data. The associated index files range in size from approximately 10% to 110% of the rawdata file. This value is affected strongly by the number of unique terms in the data. Depending on the data's characteristics, you might want to tune your segmentation settings, as described in "About segmentation" in the Getting Data In Manual. The best way to get an idea of your space needs is to experiment by indexing a representative sample of your data, and then checking the sizes of the resulting directories in defaultdb.

On *nix systems, follow these steps


Once you've indexed your data sample: 1. Go to $SPLUNK_HOME/var/lib/splunk/defaultdb/db. 2. Run du -ch hot_v* and look at the last total line to see the size of the index.

On Windows systems, follow these steps


1. Download the du utility from Microsoft TechNet. 2. Extract du.exe from the downloaded ZIP file and place it into your %SYSTEMROOT% folder. Note: You can also place it anywhere in your %PATH%. 3. Open a command prompt. 4. Once there, go to %SPLUNK_HOME%\var\lib\splunk\defaultdb\db. 5. Run del %TEMP%\du.txt & for /d %i in (hot_v*) do du -q -u %i\rawdata | findstr /b "Size:" >> %TEMP%\du.txt.
12

6. Open the %TEMP%\du.txt file. You will see Size: n, which is the size of each rawdata directory found. 7. Add these numbers together to find out how large the compressed persisted raw data is. 8. Next, run for /d %i in (hot_v*) do dir /s %i, the summary of which is the size of the index. 9. Add this number to the total persistent raw data number. This is the total size of the index and associated data for the sample you have indexed. You can now use this to extrapolate the size requirements of your Splunk index and rawdata directories over time.

Answers
Have questions? Visit Splunk Answers to see what questions and answers other Splunk users had about data sizing.

Splunk architecture and processes


This topic discusses Splunk's internal architecture and processes at a high level. If you're looking for information about third-party components used in Splunk, refer to the credits section in the Release notes.

Processes
A Splunk server runs two processes (installed as services on Windows systems) on your host, splunkd and splunkweb: splunkd is a distributed C/C++ server that accesses, processes and indexes streaming IT data. It also handles search requests. splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors. Pipelines are single threads inside the splunkd process, each configured with a single snippet of XML. Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues. splunkd supports a command line interface for searching and viewing results.
13

splunkweb is a Python-based application server based on CherryPy that provides the Splunk Web user interface. It allows users to search and navigate data stored by Splunk servers and to manage your Splunk deployment through a Web interface. and splunkd can both communicate with your Web browser via REpresentational State Transfer (REST):
splunkweb

splunkd also runs a Web server on port 8089 with SSL/HTTPS turned on by default. splunkweb runs a Web server on port 8000 without SSL/HTTPS by default. On Windows systems, splunkweb.exe is a third-party, open-source executable that Splunk renames from pythonservice.exe. Since it is a renamed file, it does not contain the same file version information as other Splunk for Windows binaries. Read information on other Windows third-party binaries distributed with Splunk. Splunk and Windows in Safe Mode Neither the splunkd, the splunkweb, nor the SplunkForwarder services starts if Windows is in Safe Mode. Additionally, if you attempt to start Splunk from the Start Menu while in Safe Mode, Splunk does not alert you to the fact that its services are not running.

Additional processes for Splunk on Windows


On Windows instances of Splunk, in addition to the two services described above, there are additional processes that Splunk uses when you create specific data inputs on a Splunk instance. These scripted inputs run when configured by certain types of Windows-specific data input. splunk.exe is the control application for the Windows version of Splunk. It provides the command line interface (CLI) for the program, and allows you to start, stop, and configure Splunk, similar to the *nix splunk program.
splunk.exe

Important: splunk.exe requires an elevated context to run because of how it controls the splunkd and splunkweb processes. Splunk might not function correctly if this executable is not given the appropriate permissions on your Windows system. This is not an issue if you install Splunk as the Local System
14

user. splunk-admon is spawned by splunkd whenever you configure an Active Directory (AD) monitoring input. splunk-admon's purpose is to attach to the nearest available AD domain controller and gather change events generated by AD. Splunk then stores these events in the desired index.
splunk-admon.exe

splunk-perfmon runs when you configure Splunk to monitor performance data on the local machine. This service attaches to the Performance Data Helper libraries, which query the performance libraries on the system and extract performance metrics both instantaneously and over time.
splunk-perfmon.exe

splunk-netmon (new for version 6.0) runs when you configure Splunk to monitor Windows network information on the local machine.
splunk-netmon

splunk-regmon runs when you configure a Registry monitoring input in Splunk. This scripted input initially writes a baseline for the Registry as it currently exists (if desired), then monitors changes to the Registry over time. Those changes come back into Splunk as searchable events.
splunk-regmon.exe

splunk-winevtlog You can use this utility to test defined event log collections, and it outputs events as they are collected for investigation. Splunk has a Windows event log input processor built into the engine. splunk-winhostmon (new for version 6.0) runs when you configure a Windows host monitoring input in Splunk. This scripted input gets detailed information about Windows hosts.
splunk-winhostmon

15

splunk-winprintmon (new for version 6.0) runs when you configure a Windows print monitoring input in Splunk. This scripted input gets detailed information about Windows printers and print jobs on the local system.
splunk-winprintmon

splunk-wmi When you configure a performance monitoring, event log or other input against a remote computer, this program starts up. Depending on how you configure the input, either it attempts to attach to and read Windows event logs as they come over the wire, or it executes a Windows Query Language (WQL) query against the Windows Management Instrumentation (WMI) provider on the specified remote machine(s). Splunk then stores the events.

Architecture diagram

Information on Windows third-party binaries distributed with Splunk


This topic provides additional information on the third-party Windows binaries that the Splunk Enterprise and the Splunk universal forwarder packages include. For more information about Splunk's universal forwarder, read "Deploy the universal forwarder" in the Forwarding Data Manual.

Third-party Windows binaries included with Splunk


The following third-party Windows binaries ship with the Splunk product. Except where indicated, only the Splunk Enterprise product includes these binaries.

16

These binaries provide functionality to Splunk as shown in their individual descriptions. None of them contains file version information or authenticode signatures (certificates which prove the binary file's authenticity). Additionally, Splunk does not provide support for debug symbols related to third-party modules. Note: Only the third party binaries, apps and scripts that ship with Splunk have been tested for Certified for Windows Server 2008 R2 (CFW2008R2) Windows Logo compliance. Any other binaries, apps, or scripts - such as those you download from the Internet in the course of extending Splunk's capabilities - have not been tested for this compliance. Archive.dll Libarchive.dll is a multi-format archive and compression library. Both Splunk Enterprise and the Splunk universal forwarder include this binary. Bzip2.exe Bzip2 is a freely available, patent-free (see below), high-quality data compressor. It typically compresses files to within 10% to 15% of the best available techniques (the PPM family of statistical compressors), whilst being around twice as fast at compression and six times faster at decompression. Jsmin.exe Jsmin.exe is an executable that removes whitespace and comments from JavaScript files, reducing their size. Libexslt.dll Libexslt.dll is the Extensions to Extensible Stylesheet Language Transformation (EXSLT) dynamic link C library developed for libxslt (a part of the GNOME project). Both Splunk Enterprise and the Splunk universal forwarder include this binary. Libxml2.dll Libxml2.dll is the Extensible Markup Language (XML) C parser and toolkit developed for the GNOME project (but usable outside of the GNOME platform),

17

Both Splunk Enterprise and the Splunk universal forwarder include this binary. Libxslt.dll Libxslt.dll is the XML Stylesheet Language for Transformations (XSLT) dynamic link C library developed for the GNOME project. XSLT itself is an XML language to define transformation for XML. Libxslt is based on libxml2 the XML C library developed for the GNOME project. It also implements most of the EXSLT set of processor-portable extensions functions and some of Saxon's evaluate and expressions extensions. Both Splunk Enterprise and the Splunk universal forwarder include this binary. Minigzip.exe Minigzip.exe is the minimal implementation of the ?gzip? compression tool. Openssl.exe The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Both Splunk Enterprise and the Splunk universal forwarder include this binary. Python.exe Python.exe is the Python programming language binary for Windows. Pythoncom.dll Pythoncom.dll is a module that encapsulates the Object Linking and Embedding (OLE) automation API for Python. Pywintypes27.dll Pywintypes27.dll is a module that encapsulates Windows types for Python version 2.7.

18

Step-by-step installation instructions


Now that you've learned what Splunk is and what is needed to install it, you can get detailed installation procedures for your operating system: Windows Windows (from the command line) Linux Solaris Mac OS X FreeBSD AIX HP-UX

Secure your Splunk installation


As soon as you set up and begin using your new Splunk installation or upgrade, you should perform a few additional steps to ensure that Splunk and your data are secure. Taking the proper steps to secure Splunk reduces its attack surface and mitigates the risk and impact of most vulnerabilities. Some key actions you should take after installation: Modify your default passwords. You can easily set your passwords across all servers to lock down your system. Configure secure authentication. We provide guidelines and further instructions for adding SSL encryption and authentication to your configuration. Audit and monitor your system regularly. We offer plenty of ways to monitor and audit your systems. Lock down your network access and configuration. Take a few steps to make your Splunk physically and virtually more secure. Use Access Control Lists (ACLs) to restrict the IPs that access parts of your networks. The Securing Splunk manual provides information about the many ways you can or should secure Splunk. For a checklist of things you should do to harden your Splunk configuration, review the hardening standards in the Securing Splunk manual.

19

Estimate hardware requirements


Hardware capacity planning for your Splunk deployment
Splunk is a flexible product that meets almost any scale and redundancy requirement in the course of its operation. Taking advantage of that flexibility requires careful planning. This chapter discusses high level hardware guidance for Splunk deployments and describes how Splunk uses hardware resources in various situations. Before deciding on your hardware outlay for Splunk: 1. Be sure to review "Components of a Splunk Deployment" in this manual for a description of all of the elements of a Splunk installation. 2. Next, learn about the type of hardware that comprises a "single indexer" by reading "Reference hardware." 3. Finally, read the remaining topics in this chapter to learn how Splunk operations impact performance and how to maximize that performance.

Dimensions of a Splunk deployment


In some cases, a single indexer can handle the load of both searching and indexing. There are scenarios where you must consider adding infrastructure to your Splunk deployment for maximum efficiency and performance. Below is a list of things that significantly impact Splunk's performance: 1. The amount of incoming data. The more data you send to Splunk, the more time Splunk needs to index it into results that you can search, report and generate alerts on. 2. The amount of indexed data. As the amount of data stored in Splunk's index goes up, the server that indexes that data requires additional bandwidth both to store the data and provide results for searches.

20

3. The number of concurrent users. If more than one person at a time uses an instance of Splunk, that instance requires more resources for those users to do searches and create reports and dashboards. 4. The number of saved searches. If you plan on running a lot of saved searches, Splunk needs capacity to perform those searches promptly and efficiently. The more saved searches you run in a given period of time, the more resources are required. 5. The types of search you employ. Almost as important as the number of saved searches is the types of search that you run against a Splunk system. There are several different types of search, each of which affects how the indexer responds to search requests. 6. Whether or not you run Splunk apps. Splunk apps and solutions can have unique performance, deployment, and configuration considerations. If you plan on running apps, make sure you consider the resource requirements of the app(s) you are using. Refer to the installation and deployment section of your app or solution's documentation for additional information. Additionally, read "Hardware capacity planning for a distributed Splunk deployment" to learn how to properly size your environment for an app's increased resource requirements.

How do these dimensions impact overall performance?


Follow the links above to determine how each of the dimensions impacts performance on a reference indexer. While these factors impact the basic sizing requirements of your Splunk deployment on the whole, it's important to understand that addressing each of them individually does not guarantee peak efficiency for your Splunk deployment. You must discover how these factors correlate with one another in your specific application in order to realize maximum performance. For example, if your Splunk deployment calls for a low amount of indexing but has a high number of concurrent users, it has significantly different resource needs than a setup with a low number of concurrent users and a high amount of daily indexing volume. Additionally, as both user count and amount of indexed data rise, you must distribute the environment across multiple servers to maintain a similar performance level. Search types complicate matters further, as some are bound by available CPU resources, and others are bound by the speed of the disk subsystem.

21

When should I scale my Splunk deployment?


To best answer this question you must understand how the above Splunk deployment dimensions apply to your specific use case. Ask yourself these questions, then refer to the performance questionnaire later in this chapter to help ascertain when you should add more hardware resources: How much data do you expect to index daily? How much data do you need to retain? How many users do you expect to search through the data at any one time? Do you plan to use certain specific searches more than once? Do you want or need to use a Splunk app to present or manipulate your data? The key to a well-performing installation is to develop a plan early in the deployment cycle to account for both your initial outlay of hardware resources, as well as the addition of resources when the deployment scales up. You can read about capacity planning for a distributed deployment at "Hardware capacity planning for a distributed Splunk deployment" in the Distributed Deployment Manual.

How incoming data affects Splunk performance


This topic discusses how incoming data impacts Splunk indexing performance. A reference Splunk indexer can index a significant amount of data in a short period of time - up to 5.8 MB of data per second - or 500 GB per day. This is if the server is doing nothing else but consuming data. Performance changes depending on the size and amount of incoming data. Larger events slow down indexing performance. As events increase in size, the indexer uses more system memory to process and index them. If you need more indexing capacity than a single indexer can provide, you must add indexers into the deployment to account for the increased demand.

22

How indexed data impacts Splunk performance


This topic discusses how data that has already been consumed by Splunk affects Splunk performance. Once Splunk consumes data and places it into indexes, those indexes grow, taking up disk space. As the indexes grow and available disk space decreases, Splunk takes more time to index incoming data because the indexer's disk subsystem takes more time to find space to store the data. This impacts search as well. On a single indexer, disk throughput splits between indexing (which is ongoing) and search requests (which are interrupts based on requests scheduled by users.) As indexes grow, search slows down because not only does the disk subsystem need to account for search requests, it also needs to handle increasingly longer requests to store incoming data. Depending on the type of search, those kinds of requests can be very I/O-intensive.

How the number of concurrent users impacts Splunk performance


This topic discusses how the number of concurrent users impacts Splunk's performance on a single indexer. A reference Splunk indexer needs to dedicate one of its available CPU cores for every user that logs into the system. This CPU core only handles the actual session itself. When a user starts searching, each search request takes up an additional CPU core, for as long as the search is active. These figures assume that CPUs are idle when they receive a login or search request. This does not account for other system requests, or CPU cores used by Splunk to index data. If they're processing any other system requests, then the load splits across other available CPUs. As CPU cores get used up, all activities on an indexer slow down as the computer splits processing time between indexing, search, and handling on-line users. At that point, only additional indexers can increase capacity for all three functions of Splunk operation.

23

How saved searches affect Splunk performance


This topic discusses how the number of saved searches - searches that you save to use again at a later time - affect Splunk performance. On a reference Splunk indexer, a saved search consumes about 1 CPU core and a specified amount of memory while it executes. It also increases the amount of disk I/O temporarily as the disk subsystem looks through the indexes to fetch the desired data. Each additional saved search that executes at the same time consumes an additional CPU core. This consumption is separate from CPU usage from the operating system and Splunk indexing and storage processes. If more saved searches execute than can be accepted for processing, they will queue. Splunk also warns you when the system reaches the maximum number of saved searches. When searches queue, search results return more slowly. Adding indexers and search heads provides additional CPU cores to run more concurrent searches. Adding RAM to your existing machines helps with concurrent searches but does not give you additional search capacity.

How search types impact Splunk performance


This topic discusses how the different types of search impact Splunk's overall performance on a single reference indexer. There are four basic types of search that you can invoke against data stored in a Splunk index. Each of these search types impacts the Splunk indexer in a different way. The search types are: Dense. A dense search is a search that returns a large percentage (10% or more) of matching results for a given set of data in a given period of time. A reference server should be able to fetch up to 50,000 matching events per second for a dense search. Dense searches usually tax a server's CPU first, because of the overhead required to decompress the raw data stored in a Splunk index. Sparse. Sparse searches return smaller numbers of results for a given set of data in a given period of time (anywhere from .01 to 1%) than dense searches do. A reference indexer should be able to fetch up to 5,000 matching events per
24

second when executing a sparse search. Super-sparse. A super-sparse search is a "needle in the haystack" search that retrieves only a very small number of results across the same set of data within the same time period as the other searches. A super-sparse search is very I/O intensive because the indexer must look through all of the buckets of an index to find the desired results. This can take up to two seconds per searched bucket. If you have a large amount of data stored on your indexer, there are a lot of buckets, and a super-sparse search can take a very long time to complete. Rare. Rare searches are like super-sparse searches in that they match just a handful of results across a number of index buckets. The major difference with rare searches is that bloom filters - data structures that test whether or not an element is a member of a set - significantly reduce the number of buckets that need to be searched by eliminating those buckets which do not contain events that match the search request. This allows a rare search to complete anywhere from 20 to 100 times faster than a super-sparse search, for the same amount of data searched.

Summary
The following table summarizes the different search types. Note that for dense and sparse searches, Splunk measures performance based on number of matching events, while with super-sparse and rare searches, performance is measured based on total indexed volume. Search type Description Dense searches return a large percentage of results for a given set of data in a given period of time. Sparse searches return a smaller amount of results for a given set of data in a given period of time than dense searches do. Ref. indexer throughput Up to 50,000 matching events per second Up to 5,000 matching events per second Performance impact Generally CPU-bound

Dense

Sparse

Generally CPU-bound

Super-sparse Super-sparse searches return a Up to 2 very small number of results seconds per from each index bucket which index bucket match the search. Depending
25

Primarily I/O bound

on how large the set of data is, these types of search can take a long period of time. Rare searches are similar to super-sparse searches, but are assisted by bloom filters which From 10 to 50 help eliminate index buckets Primarily I/O index buckets that do not match the search bound request. Rare searches return per second results anywhere from 20 to 100 times faster than a super-sparse search does.

Rare

How Splunk apps affect Splunk performance


This topic discusses how Splunk apps impact overall Splunk performance on a single reference indexer. While many apps can run on a single indexer - Splunk actually runs several included with the product - the more things an app does, the more likely you must distribute it across multiple machines. Many apps require a distributed Splunk deployment by design. Whether it's a case of universal forwarders fetching data and sending it to a single central instance, or many indexers and search heads connected together and serving up reports, dashboards, or alerts, Splunk apps often need more than one server to realize both maximum performance and potential in the enterprise.

How Splunk calculates disk storage


This topic discusses how Splunk calculates disk storage. At a high level, Splunk calculates total disk storage as follows:
( Daily average indexing rate ) x ( retention policy ) x 1/2

If you want to base your calculation on the specific type(s) of data that Splunk will index, you can use the method described in "Estimate your storage requirements" in this manual.

26

Splunk stores raw data at up to approximately half its original size due to compression. On a volume that contains 500 GB of usable disk space, this means you can store nearly 6 months' worth of data at an indexing rate of 5 GB/day, or 10 days' worth at a rate of 100 GB/day. If you need additional storage, you can opt for either more local disks (required for frequent searching) or attached or network storage (acceptable for occasional searching). Low-latency connections over NFS or SMB/CIFS (Server Message Block/Common Internet File System) are acceptable for searches over long time periods where instant search returns can be compromised to lower cost per GB. Important: Shares mounted over a Wide Area Network (WAN) connection or on standby storage such as tape are never suitable storage choices for Splunk operations.

Reference hardware
When sizing your Splunk environment's hardware needs, a reference machine helps you understand when it is time to scale and distribute the deployment. Following is an example of such a machine. Refer to this configuration as the standard for the remainder of this chapter. The reference machine described below produces the following index and search performance metrics for a given sample of data: Indexing performance Up to 5.8 megabytes per second (500 GB per day) of raw indexing performance, provided no other Splunk activity is occurring. Search performance Up to 50,000 events per second for dense searches Up to 5,000 events per second for sparse searches Up to 2 seconds per index bucket for super-sparse searches From 10 to 50 buckets per second for rare searches with bloom filters To find out more about the types of searches and how they affect Splunk performance, read "How search types affect Splunk performance" in this manual.

27

Bare-metal hardware
Intel x86 64-bit chip architecture 2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core 12 GB RAM Standard 1 Gb Ethernet NIC, optional 2nd NIC for a management network Standard 64-bit Linux or Windows distribution Disk subsystem The reference computer's disk subsystem should be capable of handling a high number of averaged Input/Output Operations Per Second (IOPS). IOPS are a measurement of how much data throughput a hard drive can produce. Since a hard drive reads and writes at different speeds, there are IOPS numbers for disk reads and writes. The average IOPS is the blend between those two figures. The more average IOPS a hard drive can produce, the more data it can index and search in a given period of time. While many variable items factor into the amount of IOPS that a hard drive can produce, the three most important elements are: its rotational speed (in revolutions per minute) its average latency (the amount of time it takes to spin its platters half a rotation) its average seek time (the amount of time it takes to retrieve a requested block of data.) To get the most IOPS out of a hard drive, always choose those drives that have high rotational speeds and low average latency and seek times. Every drive manufacturer provides this information (and some provide much more). For additional information on IOPS and how to calculate them, review the following articles: "Getting the hang of IOPS (http://www.symantec.com/connect/articles/getting-hang-iops-v13) on Symantec's Connect Community. "Analyzing I/O performance in Linux (http://www.cmdln.org/2010/04/22/analyzing-io-performance-in-linux) on CMDLN.ORG (A sysadmin blog).

28

For this application, we use eight 146-gigabyte, 15,000 RPM serial-attached SCSI (SAS) HDs in a Redundant Array of Independent Disks (RAID) 1+0 fault tolerance scheme as the disk subsystem. Each hard drive is capable of about 200 average IOPS. The combined array produces a little over 800 IOPS. Important: Splunk is often constrained by disk I/O first, so always consider disk infrastructure first when specifying your hardware.

Virtual hardware
Splunk performs fastest when deployed directly on to bare-metal hardware, as described above. However, Splunk can and does deliver on virtual equipment. What's more, we fully support deploying Splunk on virtual hardware. Using the bare metal hardware as a baseline, Splunk generally indexes data about 30% slower on a virtual machine (VM) than it does on a standard reference machine. Search performance is on par with the real-world hardware. This is a best-case scenario that does not account for resource contention with other active VMs on the same physical server. It also does not take into account certain vendor-specific I/O enhancement techniques (such as Direct I/O or Raw Device Mapping).

Splunk in the cloud


While you can run Splunk in the cloud, there are various concerns that you must be aware of when doing so. In addition to the security concerns of running Splunk in a public cloud, you must also note that performance degrades significantly compared to bare-metal hardware. Using that benchmark as a baseline again, Splunk indexing performance on a cloud-based computer is roughly half that of a real one. Searching suffers, too - results return anywhere from 15 to 20 percent slower than on a physical machine.

Performance questionnaire
Overview
This topic helps you make the choice on whether or not to distribute your Splunk deployment.

29

This questionnaire is for a single-server Splunk deployment based on the reference architecture described in "Reference hardware."

Determine when to scale your Splunk deployment


Before you consider whether or not to scale, estimate how much data you need to index, and whether or not you need more than one concurrent Splunk user to search that data. Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing amount and user count falls within the capabilities of a single server, you might have to distribute your deployment based on the types of searches you employ, and whether or not you use summary indexes. If you want to run a Splunk app or solution in your Splunk environment, or you create elements that generate a large number of saved searches, you might have to distribute Splunk components across a number of machines. Question 1: Do you want to create or run a Splunk app, alert or solution that executes a large number of saved searches (more than 8 concurrently)? A saved search is a search that a user saves to make available for later use. The number of saved searches - especially those run concurrently - directly impacts a Splunk server's performance. If you answered "NO" to this question, then proceed to Question 2. You don't need to consider scaling your Splunk deployment to multiple machines just yet. However, if you answered "YES" then you should scale your Splunk deployment to multiple machines. Review detailed information on hardware capacity planning for distributed Splunk deployments in "Hardware capacity planning for a distributed Splunk Deployment" in the Distributed Deployment Manual. Question 2: Do you need to index more than 2 GB of data per day? Question 3: Do you need more than 2 users signed in at one time? If the answer to both questions is "NO" then your Splunk instance can safely share one of the reference servers with other services, with the caveat that Splunk must have sufficient disk I/O bandwidth on the shared machine. If you answered "YES" to either question then proceed to Question 4.
30

Note: If you are deploying Splunk on Windows, you must not share full Splunk services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. This is because those services are often very disk I/O intensive, and can dramatically reduce indexing and search performance. Additionally, you must ensure that any anti-virus software installed on the server does not scan the Splunk installation directory. Question 4: Do you need to index more than 100 GB per day? Question 5: Do you need more than 4 concurrent users? If the answer to both questions is "NO" then a single dedicated Splunk server of our reference architecture should be able to handle your workload. Question 6: Do you need more than 500GB of total storage? Read "How Splunk calculates disk storage" to learn how Splunk calculates disk storage. If the answer to this question is "NO" then a single dedicated reference Splunk server should be able to handle your workload, but you might need to add fast storage to the system to account for the increased space usage. If the answer to this question is "YES" then you should consider scaling your deployment to additional indexers to cope with the increased demand of indexing and searching. Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results? Searches that cover large quantities of data and return small sets of results are known as super-sparse searches. These searches require lots of disk I/O because the indexer must search a number of buckets to find the data you're looking for. If the answer to this question is "NO" then you probably do not need to scale your deployment. However, adding additional indexers does improve both indexing and search performance. If the answer to this question is "YES" then you should definitely consider scaling your deployment up. Read the following section to determine how Splunk calculates storage.

31

Summary of performance recommendations


This topic summarizes the performance recommendations that were given in the performance questionnaire. The table below shows the amount of reference servers that are required to index and search data in Splunk, depending on the number of concurrent users and amounts of data that the instance indexes. As a reminder, the reference hardware is: Intel x86 64-bit chip architecture 2 CPUs, 6 cores per CPU (12 cores total), at least 2 Ghz per core 12 GB RAM Disk subsystem capable of producing 800 IOPS Standard 1Gb Ethernet NIC, optional 2nd NIC for a management network Standard 64-bit Linux or Windows distribution For additional information about the reference server, read "Reference hardware" in this manual. Important: The figures shown in the table below only account for the reference server in question performing a single task, such as either indexing or searching. If a server is performing both actions at the same time, performance can and does degrade depending on the amount of indexing and searching happening at the time. The figures shown here are approximate guidelines only. If you run Splunk apps, have higher indexing volumes, employ multiple or I/O-heavy searches, or need more concurrent users than this table shows, then you should scale your deployment as described in "Hardware capacity planning for a distributed Splunk deployment" in the Distributed Deployment Manual. If you need more guidance, contact Splunk. Daily Indexing Volume < 2 GB/day 2 GB/day to 100 GB/day Number of Concurrent Search Users <2 up to 4 Recommended Indexers 1, shared 1, dedicated 2 Recommended Search Heads N/A N/A 1

100 GB/day to up to 8 200 GB/day

32

Note: For indexing requirements greater than 100 GB per day, or for additional concurrent users, review the hardware capacity requirements in the Distributed Deployment Manual.

Answers
Have questions? Visit Splunk Answers to see what questions and answers other Splunk users had about hardware and Splunk.

33

Install Splunk Enterprise on Windows


Choose the Windows user Splunk should run as
This topic discusses the steps you should take to choose which Windows user Splunk should run as when you install Splunk on Windows. When you run the Splunk Windows installer, it presents you with the option to select the user that Splunk should run as. Splunk strongly recommends you read this topic before installing in order to understand the ramifications of choosing the user type. This topic applies to all versions of Splunk, including Splunk Enterprise and the Splunk universal forwarder. It applies to installing Splunk on Windows only.

The Splunk user you choose depends on what you want Splunk to monitor
The user Splunk runs as determines what it can monitor. The Local System user has access to all data on the local machine, but nothing else. A user other than Local System has access to whatever data you want it to, but you must give the user that access prior to installing Splunk. If you already know that the computer you're installing Splunk on will not access remote Windows data then you can proceed directly to "Install on Windows" in this manual (or, if you want to install using the command prompt, "Install on Windows via the command line.") If there is a possibility that you will need to access remote Windows data, or you are not sure, then read on - this topic contains important information about the user you should install Splunk as.

About the "Local System user" and "other user" choices


The basics The Windows Splunk installer provides two ways to install Splunk: as the "Local System" user, or as another existing user on your Windows computer or network, which you designate.

34

If you intend to do any of the following with Splunk, then you must install Splunk as an "other user": read Event Logs remotely collect performance counters remotely read network shares for log files enumerate the Active Directory schema using Active Directory monitoring Note: This is not an all-inclusive list. The user that you specify must, at a minimum: Be a member of the Active Directory domain or forest you wish to monitor (when using AD). Be a member of the local Administrators group on the server you're installing Splunk on. Have specific user security rights assigned to it prior to installing Splunk. Read "Minimum permissions requirements" later in this topic for specific information. Caution: If the Splunk user does not have these minimum requirements satisfied, Splunk installation might fail. In this case, even if Splunk installation succeeds, Splunk might not run correctly, or at all. The Splunk user also has unique password constraints - read "Splunk user accounts and password concerns" later in this topic for specifics. If you're not sure which user Splunk should run as, then review "Considerations for deciding how to monitor remote Windows data" in the Getting Data In Manual for additional information on how to configure the Splunk user with the access it needs. Splunk user accounts and password concerns Another important issue that arises when you install Splunk with a user account is that any active password enforcement policy controls the password's validity. If your network enforces password changes, you must consider these things: Before the password expires, change it, reconfigure Splunk services on every machine to use the changed password, and then restart Splunk. Configure the account so that its password never expires. Use a managed service account (read "Use managed service accounts on Windows Server 2008 and Windows 7" later in this topic).
35

Use managed service accounts on Windows Server 2008, Windows Server 2012 and Windows 7 If you run Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows 7 in Active Directory, and your AD domain has at least one Windows Server 2008 R2 or Server 2012 domain controller, you can install Splunk to run as a managed service account (MSA). The major benefits of using a MSA are: Increased security from the isolation of accounts for services. Administrators no longer need to manage the credentials or administer the accounts. This means that, among other things, passwords automatically change after they expire, and you do not have to manually set passwords or restart services associated with these accounts. Administrators can delegate the administration of these accounts to non-administrators. Some important things to understand before installing Splunk with a MSA are: The MSA requires the same permissions as a domain account on the machine that runs Splunk. The MSA must be a local administrator on the machine that runs Splunk. You cannot use the same account on different computers, as you would with a domain account. You must correctly configure and install the MSA on the machine that runs Splunk before you install Splunk on the machine. For information and instructions on how to do this, review "Service Accounts Step-by-Step Guide" (http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx) on MS Technet. To install Splunk using a MSA, read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual.

Security and remote access considerations


Minimum permissions requirements If you choose to install Splunk as a domain user, then there are a minimum number of permissions required on the server that runs Splunk.

36

The following is a list of the minimum user rights and permissions that the splunkd, splunkweb, and splunkforwarder services require when Splunk is installed using a domain user. Depending on the sources of data you want to monitor, the Splunk user might need a significant amount of additional permissions.
Required basic permissions for the splunkd or splunkforwarder services

Full control over Splunk's installation directory Read access to any flat files you want to index
Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

Permission to log on as a service Permission to log on as a batch job Permission to replace a process-level token Permission to act as part of the operating system Permission to bypass traverse checking Important: Failure to assign these permissions to the Splunk user prior to installation can result in a failed Splunk install, or an installation which does not function correctly, or at all.
Required basic permissions for the splunkweb service

Full control over Splunk's installation directory


Required Local/Domain Security Policy user rights assignments for the splunkweb service

Permission to log on as a service Note: Splunk does not require these permissions when it runs as the Local System account.

How to assign these permissions


This section contains high-level concepts on how to assign the appropriate user rights and permissions to the Splunk service account before attempting to install. For step-by-step instructions, read "Prepare your Windows network for a Splunk installation as a network or domain user" in this manual.

37

Use Group Policy to assign rights to multiple machines If you want to assign the policy settings shown above to a number of workstations and servers in your AD domain or forest, you can define a Group Policy object (GPO) with these specific rights, and deploy that GPO across the domain. Read "Prepare your Active Directory to run Splunk services as a domain account" in this manual for specific instructions. Once you've created and enabled the GPO, the workstations and servers in your domain will pick up the changes either during the next scheduled AD replication cycle (usually every 1 1/2 to 2 hours) or at the next boot time. Alternatively, you can force AD replication using the GPUPDATE command line utility on the server on which you want to update Group Policy. When setting user rights, remember that rights assigned by a GPO override identical Local Security Policy rights on a machine, and you can't change this setting. If you wish to retain previously existing rights that are explicitly defined through Local Security Policy on a machine, you must also assign these rights within the GPO. Troubleshoot permissions issues The rights described above are the rights that the splunkd, splunkweb, and splunkforwarder services specifically require. Other rights might be needed, depending on your usage and what data you want to access. Additionally, many user rights assignments and other Group Policy restrictions can prevent Splunk from running. If you have issues, consider using a tool such as Process Monitor or GPRESULT to troubleshoot GPO application in your environment.

Prepare your Windows network for a Splunk installation as a network or domain user
The following procedures detail the steps you must take to prepare your Windows network to allow for Splunk installation as a network or domain user other than the "Local System" user. Important: Do not perform these instructions if you plan to install Splunk Enterprise or universal forwarder as the "Local System" user. The instructions shown here have been tested for Windows Server 2008 R2 and Windows Server 2012, and might differ slightly for other versions of Windows.
38

Caution: These instructions require full administrative access to the computer and/or Active Directory domain you want to prepare for Splunk operations. Do not attempt to perform this procedure without this access. Additionally, the rights you assign using these instructions are the minimum rights required for a successful Splunk installation. You might need to assign additional rights, either within the Local Security Policy or Group Policy object (GPO), or to the user and group accounts you create, in order for Splunk to access the data you want.

Prepare Active Directory for Splunk installation as a domain user


The following instructions guide you through preparing your Active Directory to allow for installations of Splunk Enterprise or the Splunk universal forwarder as a domain account. Splunk recommends that you follow Microsoft's Best Practices (http://technet.microsoft.com/en-us/library/bb727085.aspx) when creating users and groups. This typically involves creating a specific Organizational Unit for groups within the organization. These instructions assume the following: You are running Active Directory. You are a domain administrator for the AD domain(s) you want to configure. The computer(s) you plan to install Splunk on are members of the AD domain. Create groups 1. Run the Active Directory Users and Computers tool by selecting Start > Administrative Tools > Active Directory Users and Computers. 2. Once the program loads, select the domain that you want to prepare for Splunk operations. 3. Double-click an existing appropriate container folder to open it, or create a new Organization Unit by selecting New > Group from the Action menu. 4. From the Action menu, select New > Group.
39

5. In the dialog that appears, type in a name that represents Splunk user accounts, for example, "Splunk Accounts". Ensure that the Group scope is set to Domain Local, and Group type is set to Security. 6. Click OK to create the group. 7. Create a second group and specify a name that represents Splunk-enabled computers, for example, "Splunk Enabled Computers". This group will contain computer accounts that get assigned the appropriate permissions to run Splunk as a domain user. Ensure that the Group scope is set to Domain Local, and Group type is set to Security. Assign users and computers to groups If you have not already created the user account(s) that you want to use to run Splunk, now is a good time to do so. Be sure to follow Microsoft's Best Practices for creating users and groups if you do not have your own internal policy. Once you have created the user account(s), add the account(s) to the Splunk Accounts group, and add the computer accounts of the computers that will run Splunk to the Splunk Enabled Computers group. After you have done this, you can exit Active Directory Users and Computers. Define a Group Policy object (GPO) 1. Run the Group Policy Management Console (GPMC) tool by selecting Start > Administrative Tools > Group Policy Management. 2. In the tree view pane on the left, select Domains. 3. Click the Group Policy Objects folder. 4. In the Group Policy Objects in <your domain> folder, right-click and select New from the menu that pops up. 5. In the New GPO dialog, type in a name that represents the fact that the GPO will assign user rights to the servers you apply it to, for example, "Splunk Access."
40

Leave the Source Starter GPO field set to "(none)". 6. Click OK to save the GPO. Add rights to the GPO 1. While still in the GPMC, right-click on the newly created group policy object and select Edit from the pop-up menu that appears. 2. In the Group Policy Management Editor that appears, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. a. In the right pane, double-click on the Act as part of the operating system entry. b. In the window that opens, check the Define these policy settings checkbox. c. Click Add User or Group? d. In the dialog that opens, click Browse? e. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier, then click Check Names? Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again. f. Click OK to close the "Select Users?" dialog. g. Click OK again to close the "Add User or Group" dialog. h. Click OK again to close the rights properties dialog. 3. Repeat Steps 2a-2h for the following additional rights: Bypass traverse checking Log on as a batch job Log on as a service Replace a process-level token
41

4. While still in the Group Policy Management Editor window, in the left pane, browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. a. In the right pane, right-click and select Add Group? in the pop-up menu that appears. b. In the dialog that appears, type in Administrators and click OK. c. In the properties dialog that appears, click the Add button next to Members of this group:. d. In the Add Member dialog that appears, click Browse?" e. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Accounts" group you created earlier, then click Check Names? Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again. f. Click OK to close the Select Users? dialog. g. Click OK again to close the "Add User or Group" dialog. h. Click OK again to close the group properties dialog. 5. Close the Group Policy Management Editor window to save the GPO. Restrict GPO application to select computers 1. While still in the GPMC, in the GPMC's left pane, select the GPO you created and added rights to, if it is not already selected. GPMC displays information about the GPO in the right pane. 2. In the right pane, under Security Filtering, click Add? 3. In the Select User, Computer, or Group dialog that appears, type in "Splunk Enabled Computers" (or the name of the group that represents Splunk-enabled computers that you created earlier.)

42

4. Click Check Names. If the group is valid, Windows underlines the name. Otherwise, it tells you it cannot find the object and prompts you for an object name again. 5. Click OK to return to the GPO information window. 6. Repeat Steps 2-5 to add the "Splunk Users" group (the group that represents Splunk user accounts that you created earlier.) 7. Under Security Filtering, click the Authenticated Users entry to highlight it. 8. Click Remove. GPMC removes the "Authenticated Users" entry from the "Security Filtering" field, leaving only "Splunk Users" and "Splunk Enabled Computers." Apply the GPO 1. While still in the GPMC, in the GPMC's left pane, select the domain that you want to apply the GPO you created. 2. Right click on the domain, and select Link an Existing GPO? in the menu that pops up. 3. In the Select GPO dialog that appears, select the GPO you created and edited, and click OK. GPMC applies the GPO to the selected domain. 4. Close GPMC by selecting File > Exit from the GPMC menu. Note: Active Directory controls when Group Policy updates occur and GPOs get applied to computers in the domain. Typically, replication happens every 90-120 minutes. You must wait this amount of time before attempting to install Splunk as a domain user. Alternatively, you can force a Group Policy update by running GPUPDATE /FORCE from a command prompt on the computer on which you want to update Group Policy. Install Splunk with a managed system account Alternatively, you can install Splunk with a managed system account. Follow these instructions to do so: 1. Create and configure the MSA that you plan to use to monitor Windows data.
43

Note: You can use the instructions in "Prepare your Active Directory to run Splunk services as a domain account" earlier in this topic to assign the MSA the appropriate security policy rights and group memberships. 2. Install Splunk from the command line as the "Local System" user. Important: You must install Splunk from the command line and use the LAUNCHSPLUNK=0 flag to keep Splunk from starting after installation is completed. 3. After installation is complete, use the Windows Explorer or the ICACLS command line utility to grant the MSA "Full Control" permissions to the Splunk installation directory and all its sub-directories. Note: You might need to break NTFS permission inheritance from parent directories above the Splunk installation directory and explicitly assign permissions from that directory and all subdirectories. 4. Follow the instructions in the topic "Correct the user selected during Windows installation" in this manual to change the default user for Splunk's service account. In this instance, the correct user is the MSA you configured prior to installing Splunk. Important: You must append a dollar sign ($) to the end of the username when completing Step 4 in order for the MSA to work properly. For example, if the MSA is SPLUNKDOCS\splunk1, then you must enter SPLUNKDOCS\splunk1$ in the appropriate field in the properties dialog for the service. You must do this for both the splunkd and splunkweb services. 5. Confirm that the MSA has the "Log on as a service" right. Note: If you use the Services control panel to make the service account changes, Windows grants this right to the MSA automatically. 6. Start Splunk. Splunk will run as the MSA configured above, and will have access to all data that the MSA has access to.

Prepare a local machine or non-AD network for Splunk installation


If you are not using Active Directory, follow these instructions to give administrative access to the user you want Splunk to run as on the computers you want to install Splunk on.
44

1. Give the user Splunk should run as administrator rights by adding the user to the local Administrators group. 2. Start Local Security Policy by selecting Start > Administrative Tools > Local Security Policy. Local Security Policy launches and displays the local security settings. 3. In the left pane, expand Local Policies and then click User Rights Assignment. a. In the right pane, double-click on the Act as part of the operating system entry. b. Click Add User or Group? c. In the dialog that opens, click Browse? d. In the Select Users, Computers, Service Accounts, or Groups dialog that opens, type in the name of the "Splunk Computers" group you created earlier, then click Check Names... Windows underlines the name if it is valid. Otherwise it tells you that it cannot find the object and prompts you for an object name again. e. Click OK to close the "Select Users?" dialog. f. Click OK again to close the "Add User or Group" dialog. g. Click OK again to close the rights properties dialog. 4. Repeat Steps 3a-3g for the following additional rights: Bypass traverse checking Log on as a batch job Log on as a service Replace a process-level token Once you have completed these steps, you can then install Splunk as the desired user.

45

Install on Windows
This topic describes the procedure for installing Splunk on Windows with the Graphical User Interface (GUI)-based installer. More options (such as silent installation) are available if you install from the command line. Important: Running the 32-bit version of Splunk for Windows on a 64-bit Windows system is not recommended. If you attempt to run the 32-bit installer on a 64-bit system, the installer will warn you of this. We strongly recommend that you run 64-bit Splunk on 64-bit hardware. The performance is greatly improved over the 32-bit version. Note: If you want to install the Splunk universal forwarder, see the Forwarding Data manual: "Universal forwarder deployment overview". Unlike Splunk heavy and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving", also in the Forwarding Data Manual.

Upgrading?
If you are upgrading Splunk Enterprise, review "How to upgrade Splunk" for instructions and migration considerations before proceeding. In particular, be aware that Splunk does not support changing the management or HTTP ports during an upgrade.

Before you install


Choose the Windows user Splunk should run as Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs. The user you choose has specific ramifications on what you need to do prior to installing the software, and more details can be found there. Splunk for Windows and anti-virus software Splunk's indexing subsystem requires lots of disk throughput. Any software with a device driver that intermediates between Splunk and the operating system can rob Splunk of processing power, causing slowness and even an unresponsive
46

system. This includes anti-virus software. It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes, before starting a Splunk installation.

Install Splunk via the GUI installer


The Windows installer is an MSI file. 1. To start the installer, double-click the splunk.msi file. The installer runs and displays the Welcome panel. 2. To begin the installation, click Next. Note: On each panel, you can click Next to continue, Back to go back a step, or Cancel to cancel the installation and quit the installer. The installer displays the licensing panel. 3. Read the licensing agreement and select "I accept the terms in the license agreement". Click Next to continue installing. The installer displays the Destination Folder panel. Note: By default, Splunk gets installed into \Program Files\Splunk on the system drive. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set. 4. Click Change... to specify a different location to install Splunk, or click Next to accept the default value. The installer displays the Logon Information panel. Splunk installs and runs two Windows services, splunkd and splunkweb. These services install and run as the user you specify on this panel. You can choose to run Splunk as the Local System user, or another user. Important: If you choose to run Splunk as another user, that user must: Be a member of an Active Directory domain (you cannot install Splunk as a local machine account other than the Local System account)
47

Have local administrator privileges on the machine which you are performing the installation, and Have specific user rights, and other additional permissions, depending on the kinds of data you want to collect from remote machines. Read "Choose the Windows user Splunk should run as" for additional information on these permissions and rights requirements. If you have not read the above linked topic beforehand, then stop the installation now and read that topic first. 5. Select a user type and click Next. If you selected the Local System user, proceed to Step 7. Otherwise, the installer displays the Logon Information: specify a username and password panel. 6. Specify a username and password to install and run Splunk and click Next. Note: This must be a valid user in your security context, and must be an active member of an Active Directory domain. Splunk cannot start without a valid username and password, nor can it start with a machine account that is not the Local System account. The installer displays the installation summary panel. 7. Click Install to proceed. The installer runs and displays the Installation Complete panel. Caution: If you specified the wrong user during the installation procedure, you will see two pop-up error windows explaining this. If this occurs, Splunk installs itself as the local system user by default. Splunk does not start automatically in this situation. You can proceed through the final panel of the installation, but uncheck the "Launch browser with Splunk" checkbox to prevent your browser from launching. Then, use these instructions to switch to the correct user before starting Splunk. 8. If desired, check the boxes to Launch browser with Splunk and Create Start Menu Shortcut now. Click Finish. The installation completes, Splunk starts, and Splunk Web launches in a supported browser if you checked the appropriate box.

48

Note: The first time you access Splunk Web after installation, login with the default username admin and password changeme. Do not use the username and password you provided during the installation process.

Launch Splunk in a Web browser


To access Splunk Web after you start Splunk on your machine, you can either: Click the Splunk icon in Start > Programs > Splunk or Open a Web browser and navigate to http://localhost:8000. Log in using the default credentials: username: admin and password: changeme. The first time you log into Splunk successfully, you'll be prompted right away to change your password. You can do so by entering a new password and clicking the Change password button, or you can do it later by clicking the Skip button. Note: If you do not change your password, remember that anyone who has access to the machine can access your Splunk instance. Be sure to change the admin password as soon as possible and make a note of what you changed it to. Avoid IE Enhanced Security pop-ups If you're using Internet Explorer to access Splunk, add the following URLs to the allowed Intranet group or fully trusted group to avoid getting "Enhanced Security" pop-ups: quickdraw.splunk.com the URL of your Splunk instance

Change the Splunk Web or splunkd service ports


If you want the Splunk Web service or the splunkd service to use a different port, you can change the defaults. To change the splunk web service port: Open a command prompt. Change to the %SPLUNK_HOME%\bin directory. Type in splunk set web-port #### and press Enter.
49

To change the splunkd port: Open a command prompt, if one isn't already. Change to the %SPLUNK_HOME%\bin directory. Type in splunk set splunkd-port #### and press Enter. Note: If you specify a port and that port is not available, or if the default port is unavailable, Splunk will automatically select the next available port.

Install or upgrade license


If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

What's next?
Now that you've installed Splunk, you can find out what comes next, or you can review these topics in the Getting Data In Manual for information on adding Windows data to Splunk: Monitor Windows Event Log data Monitor Windows Registry data Monitor WMI-based data Considerations for deciding how to monitor remote Windows data.

Install on Windows via the command line


This topic describes the procedure for installing Splunk on Windows from the command line. Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific needs. Important: Running the 32-bit version of Splunk for Windows on a 64-bit Windows system is not recommended. If you run the 32-bit installer on a 64-bit system, the installer will warn you about this. We strongly recommend that you run 64-bit Splunk on 64-bit hardware. The performance is greatly improved over the 32-bit version. Note: If you want to install the Splunk universal forwarder, see the Forwarding Data manual: "Universal forwarder deployment overview". Unlike Splunk heavy
50

and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving", also in the Forwarding Data Manual.

When to install from the command line?


You can manually install Splunk on individual machines from a command prompt or PowerShell window. Here are some scenarios where installing from the command line is useful: You want to install Splunk, but don't want it to start right away. You want to automate installation of Splunk with a script. You want to install Splunk on a system that you will clone later. You want to use a deployment tool such as Group Policy or System Center Configuration Manager.

Upgrading?
If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding. In particular, be aware that Splunk does not support changing the management or HTTP ports during an upgrade.

Before you install


Choose the Windows user Splunk should run as Before installing, be sure to read "Choose the Windows user Splunk should run as" to determine which user account Splunk should run as to address your specific data collection needs. The user you choose has specific ramifications on what you need to do prior to installing the software, and more details can be found there. Splunk for Windows and anti-virus software Splunk's indexing subsystem requires lots of disk throughput. Anti-virus software - or any software with a device driver that intermediates between Splunk and the operating system - can rob Splunk of processing power, causing slowness and even an unresponsive system.

51

It's extremely important to configure such software to avoid on-access scanning of Splunk installation directories and processes, before starting a Splunk installation.

Install Splunk from the command line


You can install Splunk from the command line by invoking msiexec.exe. For 32-bit platforms, use splunk-<...>-x86-release.msi:

msiexec.exe /i splunk-<...>-x86-release.msi [<flag>]... [/quiet]

For 64-bit platforms, use splunku-<...>-x64-release.msi:

msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]

The value of <...> varies according to the particular release; for example, splunk-5.0-125454-x64-release.msi. Command line flags allow you to configure Splunk at installation time. Using command line flags, you can specify a number of settings, including: Which Windows event logs to index. Which Windows Registry hive(s) to monitor. Which Windows Management Instrumentation (WMI) data to collect. The user Splunk runs as (Important: Read "Choose the Windows user Splunk should run as" for information on what type of user you should install your Splunk instance with.) An included application configuration for Splunk to enable (such as the Splunk light forwarder.) Whether or not Splunk should start up automatically when the installation is completed. Note: The first time you access Splunk Web after installation, log in with the default username admin and password changeme.

Supported flags
The following is a list of the flags you can use when installing Splunk for Windows via the command line.

52

Important: The Splunk universal forwarder is a separate executable, with its own installation flags. Review the supported installation flags for the universal forwarder in "Deploy a Windows universal forwarder from the command line" in the Forwarding Data manual. Flag
AGREETOLICENSE=Yes|No

What it's for Use this flag to agree to the EULA. This No flag must be set to Yes for a silent installation. Use this flag to specify directory to install. Splunk's installation directory is referred to as $SPLUNK_HOME or %SPLUNK_HOME% throughout this documentation set. Use these flags to specify alternate ports for splunkd and splunkweb to use.

Default

INSTALLDIR="<directory_path>"

C:\Program Files\Splunk

SPLUNKD_PORT=<port number>

Note: If you specify a port and that port 8089 is not available, Splunk will automatically select the next available port. Use these flags to specify alternate ports for splunkd and splunkweb to use.

WEB_PORT=<port number>

Note: If you specify a port and that port 8000 is not available, Splunk will automatically select the next available port. Use these flags to specify whether or not Splunk should index a particular Windows event log: Application log Security log System log Forwarder log Setup log
53
0

(off)

WINEVENTLOG_APP_ENABLE=1/0 WINEVENTLOG_SEC_ENABLE=1/0 WINEVENTLOG_SYS_ENABLE=1/0 WINEVENTLOG_FWD_ENABLE=1/0 WINEVENTLOG_SET_ENABLE=1/0

Note: You can specify multiple flags. Use this flag to specify whether or not Splunk should index events from
REGISTRYCHECK_U=1/0 REGISTRYCHECK_BASELINE_U=1/0

capture a baseline snapshot of the Windows Registry user hive (HKEY_CURRENT_USER). Note: You can set both of these at the same time. Use this flag to specify whether or not Splunk should index events from

(off)

REGISTRYCHECK_LM=1/0 REGISTRYCHECK_BASELINE_LM=1/0

capture a baseline snapshot of the Windows Registry machine hive (HKEY_LOCAL_MACHINE). Note: You can set both of these at the same time. Use these flags to specify which popular WMI-based performance metrics Splunk should index: CPU usage Local disk usage Free disk space Memory statistics Caution: If you need this instance of Splunk to monitor remote Windows data, then you must also specify the LOGON_USERNAME and LOGON_PASSWORD
54

(off)

(off)

WMICHECK_CPUTIME=1/0 WMICHECK_LOCALDISK=1/0 WMICHECK_FREEDISK=1/0 WMICHECK_MEMORY=1/0

installation flags. Splunk can not collect any remote data that it does not have explicit access to. Additionally, the user you specify requires specific rights, administrative privileges, and additional permissions, which you must configure before installation. Read "Choose the Windows user Splunk should run as" in this manual for additional information about the required credentials. There are many more WMI-based metrics that Splunk can index. Review "Monitor WMI Data" in the Getting Data In Manual for specific information. Use these flags to provide domain\username and password information for the user that Splunk will run as. The splunkd and splunkweb services are configured with these credentials. For the LOGON_USERNAME flag, you must specify the domain with LOGON_USERNAME="<domain\username>" the username in the format none "domain\username." LOGON_PASSWORD="<pass>" These flags are required if you want this Splunk installation to monitor any remote data. Review "Choose the Windows user Splunk should run as" in this manual for additional information about which credentials to use.
SPLUNK_APP="<SplunkApp>"

Use this flag to specify an included none Splunk application configuration to enable for this installation of Splunk. Currently supported options for <SplunkApp> are: SplunkLightForwarder and SplunkForwarder. These specify that this instance of Splunk will function as a light forwarder or heavy forwarder, respectively. Refer to the "About forwarding and receiving" topic in the
55

Forwarding Data manual for more information. Important: The full version of Splunk does not enable the universal forwarder. The universal forwarder is a separate downloadable executable, with its own installation flags. Note: If you specify either the Splunk forwarder or light forwarder here, you must also specify FORWARD_SERVER="<server:port>". To install Splunk with no applications at all, simply omit this flag. Use this flag *only* when you are also using the SPLUNK_APP flag to enable either the Splunk heavy or light forwarder. Specify the server and port of the Splunk server to which this forwarder will send data. Important: This flag requires that the SPLUNK_APP flag also be set. Use this flag to specify a deployment server for pushing configuration updates. Enter the deployment server's none name (hostname or IP address) and port. Use this flag to specify whether or not Splunk should start up automatically on system boot.
LAUNCHSPLUNK=0/1

FORWARD_SERVER="<server:port>"

none

DEPLOYMENT_SERVER="<host:port>"

Important: If you enable the Splunk Forwarder by using the SPLUNK_APP flag, the installer configures Splunk to start automatically, and ignores this flag. Use this flag to specify whether or not the installer should create a shortcut to Splunk on the desktop and in the Start
56

(on)

INSTALL_SHORTCUT=0/1

(on)

Menu.

Silent installation
To run the installation silently, add /quiet to the end of your installation command string. If your system is running UAC (which is sometimes on by default) you must run the installation as Administrator. To do this: when opening a cmd prompt, right click and select "Run As Administrator". Then use this cmd window to run the silent install command.

Examples
The following are some examples of using different flags. Silently install Splunk to run as the Local System user

msiexec.exe /i Splunk.msi /quiet

Enable SplunkForwarder and specify credentials for the user Splunk will run as
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" LOGON_USERNAME="AD\splunk" LOGON_PASSWORD="splunk123"

Enable SplunkForwarder, enable indexing of the Windows System event log, and run the installer in silent mode
msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>" WINEVENTLOG_SYS_ENABLE=1 /quiet

Where "<server:port>" are the server and port of the Splunk server to which this machine should send data.

Launch Splunk in a Web browser


To access Splunk Web after you start Splunk on your machine, you can either: Click the Splunk icon in Start>Programs>Splunk or Open a Web browser and navigate to http://localhost:8000.
57

Log in using the default credentials: username: admin and password: changeme . Be sure to change the admin password as soon as possible and make a note of what you changed it to. Now that you've installed Splunk, you can find out what comes next.

Avoid IE Enhanced Security pop-ups


To avoid IE Enhanced Security pop-ups, add the following URLs to the allowed Intranet group or fully trusted group in IE: quickdraw.splunk.com the URL of your Splunk instance

Install or upgrade license


If you are performing a new installation of Splunk or switching from one license type to another, you must install or update your license.

What's next?
Now that you've installed Splunk, what comes next? You can also review this topic about considerations for deciding how to monitor Windows data in the Getting Data In manual.

Correct the user selected during Windows installation


If you have selected "other user" during the Windows GUI installation, and that user does not exist or perhaps you mistyped the information, you can go into the Windows Service Control Manager and specify the correct information, as long as you have not started Splunk yet. If you have started Splunk, you must stop it, uninstall it and reinstall it. If you specified an invalid user during the Windows GUI installation process, you will see two popup error windows. To change the user:

58

1. In Control Panel > Administrative Tools > Services, find the splunkd and splunkweb services. You'll notice that they are not started and are currently owned by the Local System User. 2. Right click on each service and choose Properties. The properties dialog for that service is displayed. 3. Select the Log On tab. 4. Select the This account radio button and fill in the correct domain\username and password. 5. Click Apply. 6. Click OK. 7. Repeat Steps 2 through 6 for the second service (you must do this for both splunkd and splunkweb). 8. You can now either start both services from the Service Manager or from the Splunk command line interface.

59

Install Splunk Enterprise on Unix, Linux or Mac OS X


Install on Linux
You can install Splunk on Linux using RPM or DEB packages, or a tar file. Note: If you want to install the Splunk universal forwarder, see the Forwarding Data manual: "Universal forwarder deployment overview". Unlike Splunk heavy and light forwarders, which are full Splunk instances with some features changed or disabled, the universal forwarder is an entirely separate executable, with its own set of installation procedures. For an introduction to forwarders, see "About forwarding and receiving". Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

RedHat RPM install


To install the Splunk RPM in the default directory /opt/splunk:

rpm -i splunk_package_name.rpm

To install Splunk in a different directory, use the --prefix flag:

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

To upgrade an existing Splunk installation that resides in /opt/splunk using the RPM:

rpm -U splunk_package_name.rpm

To upgrade an existing Splunk installation that was done in a different directory, use the --prefix flag:

60

rpm -U --prefix=/opt/existing_directory splunk_package_name.rpm

Note: If you do not specify with --prefix for your existing directory, rpm will install in the default location of /opt/splunk. For example, to upgrade to the existing directory of $SPLUNK_HOME=/opt/apps/splunk enter the following:

rpm -U --prefix=/opt/apps splunk_package_name.rpm

If you want to automate your RPM install with kickstart, add the following to your kickstart file:

./splunk start --accept-license ./splunk enable boot-start

Note: The second line is optional for the kickstart file.

Debian DEB install


To install the Splunk DEB package:

dpkg -i splunk_package_name.deb

Note: You can only install the Splunk DEB package in the default location, /opt/splunk.

Tar file install


To install Splunk on a Linux system, expand the tarball into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

61

Note: When you install Splunk with a tarball: Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tarball in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem. Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing. Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed


Splunk package status:

dpkg --status splunk

List all packages:

dpkg --list

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

62

Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port. hostname is the host machine. port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on Solaris
You can install Splunk on Solaris with a PKG packages, or a tar file. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.
63

Install Splunk
Splunk for Solaris is available as a PKG file or a tar file. PKG file install The PKG installation package includes a request file that prompts you to answer a few questions before Splunk installs.

pkgadd -d ./splunk_product_name.pkg

A list of the available packages is displayed. Select the packages you wish to process (the default is "all"). The installer then prompts you to specify a base installation directory. To install into the default directory, /opt/splunk, leave this blank. PKG file upgrade To upgrade an existing Splunk installation using a PKG file, you should use the instance parameter, either in the system's default package installation configuration file (/var/sadm/install/admin/default) or in a custom configuration file that you define and call. In the default or custom configuration file, set instance=overwrite. This will prevent the upgrade from creating a second splunk package (with instance=unique), or failing (with instance=quit). For information about the instance parameter, see the Solaris man page (man -s4 admin). To upgrade Splunk using the system's default package installation file, use the same command line as you would for a fresh install.

pkgadd -d

./splunk_product_name.pkg

You will be prompted to overwrite any changed files, answer yes to every one. To upgrade using a custom configuration file, type:

pkgadd -a conf_file -d ./splunk_product_name.pkg

64

To run the upgrade silently (and not have to answer yes for every file overwrite), type:

pkgadd -n -d

./splunk_product_name.pkg

tar file install To install Splunk on a Solaris system, expand the tarball into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tar.Z

The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tar.Z -C /opt

Note: When you install Splunk with a tar file: Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tarball in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem. If the gzip binary is not present on your system, you can use the uncompress command instead. Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing. Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

What gets installed


Splunk package info:

pkginfo -l splunk

List all packages:

65

pkginfo

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. For more information, refer to the instructions on running Splunk as a non-root user. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, Splunk's documentation uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://mysplunkhost:port, where: mysplunkhost is the host machine. port is the port you specified during the installation (8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will
66

bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on Mac OS
You can install Splunk on Mac OS X using a DMG package, or a tar file. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

Installation options
The Mac OS build comes in two forms: a DMG package and a tar file. Below are instructions for the: Graphical (basic) and command line installs using the DMG file. tar file install. Note: if you require two installations in different locations on the same host, use the tar file. The pkg installer cannot install a second instance. If one exists, it will remove it upon successful install of the second. Graphical install 1. Double-click on the DMG file. A Finder window containing splunk.pkg opens. 2. In the Finder window, double-click on splunk.pkg.

67

The Splunk installer opens and displays the Introduction, which lists version and copyright information. 3. Click Continue. The Select a Destination window opens. 4. Choose a location to install Splunk. To install in the default directory, /Applications/splunk, click on the harddrive icon. To select a different location, click Choose Folder... 5. Click Continue. The pre-installation summary displays. If you need to make changes, Click Change Install Location to choose a new folder, or Click Back to go back a step. 6. Click Install. Your installation will begin. It might take a few minutes. 7. When your install completes, click Finish. The installer places a shortcut on the Desktop. Command line install 1. To mount the dmg:

hdid splunk_package_name.dmg

2. To Install To the root volume:

installer -pkg splunk.pkg -target /

To a different disk of partition:

68

installer -pkg splunk.pkg -target /Volumes\ Disk

specifies a target volume, such as another disk, where Splunk will be installed in /Applications/splunk.
-target

To install into a directory other than /Applications/splunk on any volume, use the graphical installer as described above. tar file install To install Splunk on a Mac OS, expand the tarball into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /Applications/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /Applications

Note: When you install Splunk with a tarball: Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing. Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Start Splunk from the Finder To start Splunk from the Finder, double-click the Splunk icon on the Desktop to launch the Splunk helper application, entitled "Splunk's Little Helper". Note: The first time you run the helper application, it notifies you that it needs to perform a brief initialization. Click OK to allow Splunk to initialize and set up the
69

trial license. Once the helper application loads, it displays a dialog that offers several choices: Start and Show Splunk: This option starts Splunk and directs your web browser to open a page to Splunk Web. Only Start Splunk: This choice starts Splunk, but does not open Splunk Web in a browser. Cancel: Tells the helper application to quit. This does not affect the Splunk instance itself, only the helper application. Once you make your choice, the Splunk helper application performs the requested application and terminates. You can run the helper application again to either show Splunk Web or stop Splunk. The Splunk helper application can also be used to stop Splunk if it is already running. Start Splunk from the command line To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

70

Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port hostname is the host machine. port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on FreeBSD
The FreeBSD builds comes in two forms: an installer (5.4-intel) and a tar file (i386). Both are gzipped tar (.tgz) files. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding. Prerequisites For FreeBSD 8 , Splunk requires compatibility packages. To install the compatibility package: 1. Install the port:
portsnap fetch update

71

cd /usr/ports/misc/compat7x/ && make install clean

2. Add the package:


pkg_add -r compat7x-amd64

Basic install To install FreeBSD using the intel installer:

pkg_add splunk_package_name-6.1-intel.tgz

Important: This installs Splunk in the default directory, /opt/splunk. If /opt does not exist, you will need to create it prior to running the install command. If you don't, you might receive an error message. Splunk recommends that you create a symbolic link to another filesystem and install Splunk there, since best practices for FreeBSD maintain a small root ("/") filesystem. To install Splunk in a different directory:

pkg_add -v -p /usr/splunk splunk_package_name-6.1-intel.tgz

The FreeBSD package system does not have native upgrade support. There are some add-on utilities which try to manage it, but this is not explicitly tested. To upgrade a package on FreeBSD you can either uninstall the prior package, and install the new package, or you can upgrade the existing installation using a tar file install as below. tar file install To install Splunk on a FreeBSD system, expand the tar file into an appropriate directory using the tar command:

tar xvzf splunk_package_name.tgz

The default install directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

tar xvzf splunk_package_name.tgz -C /opt

Note: When you install Splunk with a tar file:


72

Some non-GNU versions of tar might not have the -C argument available. In this case, if you want to install in /opt/splunk, either cd to /opt or place the tar file in /opt before running the tar command. This method will work for any accessible directory on your machine's filesystem. Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually before installing. Ensure that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. After you install To ensure that Splunk functions properly on FreeBSD, you must: 1. Add the following to /boot/loader.conf

kern.maxdsiz="2147483648" # 2GB kern.dfldsiz="2147483648" # 2GB machdep.hlt_cpus=0

2. Add the following to /etc/sysctl.conf:

vm.max_proc_mmap=2147483647

A restart of the OS is required for the changes to effect. If your server has less than 2 GB of memory, reduce the values accordingly.

What gets installed


To see the list of Splunk packages:

pkg_info -L splunk

To list all packages:

pkg_info

73

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port hostname is the host machine. port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

74

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on AIX
You can install Splunk on AIX using a tar file. Important: The user Splunk is installed as must have permission to read /dev/urando and /dev/random or the installation will fail. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

Install Splunk
The AIX install comes in tar file form. When you install with the tar file: Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually. Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. We recommend you use GNU tar to unpack the tar files, as AIX tar can fail to unpack long file names, fail to overwrite files, and other problems. If you must use the system tar, be sure to check the output for error messages. To install Splunk on an AIX system, expand the tar file into an appropriate directory. The default install directory is /opt/splunk. For AIX 5.3, check to make sure your service packs are up to date. Splunk requires the following service level:

75

$ oslevel -r 5300-005

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running Splunk as a non-root user for more information. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Note: The AIX version of Splunk does not register itself to auto-start on reboot. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. For more information, refer to "Splunk startup options" in this manual. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port hostname is the host machine.
76

port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Install on HP-UX
You can install Splunk on HP/UX using a tar file. To install Splunk on an HP-UX system, expand the tar file, using GNU tar, into an appropriate directory. The default install directory is /opt/splunk. NOTE: The system default tar on HP-UX will not successfully extract the splunk tar. GNU tar is a pre-requisite, or you can unpack the tar on another platform. When you install with the tar file: Splunk does not create the splunk user automatically. If you want Splunk to run as a specific user, you must create the user manually. Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed. Upgrading? If you are upgrading, review "How to upgrade Splunk" for instructions and migration considerations before proceeding.

77

Start Splunk
Splunk can run as any user on the local system. If you run Splunk as a non-root user, make sure that Splunk has the appropriate permissions to read the inputs that you specify. To start Splunk from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed Splunk):

./splunk start

By convention, this document uses: $SPLUNK_HOME to identify the path to your Splunk installation. $SPLUNK_HOME/bin/ to indicate the location of the command line interface. Note: The HP-UX version of Splunk does not register itself to auto-start on reboot. Startup options The first time you start Splunk after a new installation, you must accept the license agreement. To start Splunk and accept the license in one step:

$SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option. Launch Splunk Web and log in After you start Splunk and accept the license agreement, 1. In a browser window, access Splunk Web at http://<hostname>:port hostname is the host machine. port is the port you specified during the installation (the default port is 8000). 2. Splunk Web prompts you for login information (default, username admin and password changeme) before it launches. If you switch to Splunk Free, you will
78

bypass this logon page in future sessions.

What's next?
Now that you've installed Splunk, what comes next?

Uninstall Splunk Enterprise


To learn how to uninstall Splunk Enterprise, read "Uninstall Splunk Enterprise" in this manual.

Run Splunk as a different or non-root user


Important: This topic is for non-Windows operating systems only. To learn how to install Splunk on Windows using a user, read "Choose the user Splunk should run as" in this manual. You can run Splunk as any user on the local system. If you run Splunk as a non-root user, make sure Splunk has the appropriate permissions to: Read the files and directories it is configured to watch. Some log files and directories may require root or superuser access to be indexed. Write to Splunk's directory and execute any scripts configured to work with your alerts or scripted input. Bind to the network ports it is listening on (ports below 1024 are reserved ports that only root can bind to). Note: Because ports below 1024 are reserved for root access only, Splunk will only be able to listen on port 514 (the default listening port for syslog) if it is running as root. You can, however install another utility (such as syslog-ng) to write your syslog data to a file and have Splunk monitor that file instead.

Instructions
To run Splunk as a non-root user, you need to first install Splunk as root. Then, before you start Splunk for the first time, change the ownership of the splunk directory to the desired user. The following are instructions to install Splunk and run it as a non-root user, splunk. Note: In the following examples, $SPLUNK_HOME represents the path to the Splunk installation directory.
79

1. Create the user and group, splunk. For Linux, Solaris, and FreeBSD:

useradd splunk groupadd splunk

For Mac OS: You can use the System Preferences > Accounts panel to add users and groups. 2. As root and using one of the packages (not a tar file), run the installation. Important: Do not start Splunk yet. 3. Use the chown command to change the ownership of the splunk directory and everything under it to the desired user.

chown -R splunk $SPLUNK_HOME

Note: You might also need to change the group ownership for files in the Splunk directory. If your system's chown binary does not support changing group ownership of files, you can use the chgrp command to do so. Refer to your system's man pages for additional information. 4. Start Splunk.

$SPLUNK_HOME/bin/splunk start

Also, if you want to start Splunk as the splunk user while you are logged in as a different user, you can use the sudo command:

sudo -H -u splunk $SPLUNK_HOME/bin/splunk start

This example command assumes: If Splunk is installed in an alternate location, update the path in the command accordingly. Your system may not have sudo installed. If this is the case, you can use
80

su. If you are installing using a tar file and want Splunk to run as a particular user (such as splunk), you must create that user manually. The splunk user will need access to /dev/urandom to generate the certs for the product.

Solaris 10 privileges
When installing on Solaris 10 as the splunk user, you must set additional privileges to start splunkd and bind to reserved ports. To start splunkd as the splunk user on Solaris 10, run:

# usermod -K defaultpriv=basic,net_privaddr,proc_exec,proc_fork splunk

To allow the splunk user to bind to reserved ports on Solaris 10, run (as root):

# usermod -K defaultpriv=basic,net_privaddr splunk

81

Start using Splunk Enterprise


Start Splunk for the first time
Important: Before you begin using your new Splunk upgrade or installation, you should take a few moments to make sure that Splunk and your data are secure. For more information, read "Hardening Standards" in the Securing Splunk Manual. To start Splunk: On Windows You can start Splunk on Windows using either the command line, or the Windows Services Manager. Using the command line offers more options, described later in this section. In a cmd window, go to C:\Program Files\Splunk\bin and type:

splunk start

(For Windows users: in subsequent examples and information, replace $SPLUNK_HOME with C:\Program Files\Splunk if you have installed Splunk in the default location. You can also add %SPLUNK_HOME% as a system-wide environment variable by using the System Properties dialog's Advanced tab.) On UNIX Use the Splunk command-line interface (CLI):

$SPLUNK_HOME/bin/splunk start

Splunk then displays the license agreement and prompts you to accept before the startup sequence continues.

Other start options


To accept the license automatically when you start Splunk for the first time, add the accept-license option to the start command:

82

$SPLUNK_HOME/bin/splunk start --accept-license

The startup sequence displays:

Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Verifying configuration. This may take a while... Finished verifying configuration. Checking index directory... Verifying databases... Verified databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sampledata, splunklogger, summary Checking index files All index checks passed. All preliminary checks passed. Starting splunkd... Starting splunkweb... Splunk Server started. The Splunk web interface is at http://<hostname>:8000

Note: If the default ports are already in use (or are otherwise not available), Splunk will offer to use the next available port. You can either accept this option or specify a port for Splunk to use. There are two other start options: no-prompt and answer-yes: If you run $SPLUNK_HOME/bin/splunk start --no-prompt, Splunk proceeds with startup until it requires you to answer a question. Then, it displays the question, why it is quitting, and quits. If you run SPLUNK_HOME/bin/splunk start --answer-yes, Splunk proceeds with startup and automatically answers "yes" to all yes/no questions. Splunk displays the question and answer as it continues. If you run start with all three options in one line, for example:

$SPLUNK_HOME/bin/splunk start --answer-yes --no-prompt --accept-license

Splunk does not ask you to accept the license. Splunk answers yes to any yes/no question. Splunk quits when it encounters a non-yes/no question.

83

Start and disable individual processes


You can start and stop individual Splunk processes by adding the process as an object to the start command. The objects include: splunkd, the Splunk server daemon. splunkweb, Splunk's Web interface process. For example, to start only splunkd:

$SPLUNK_HOME/bin/splunk start splunkd

To disable splunkweb:

$SPLUNK_HOME/bin/splunk disable webserver

For more information about start, refer to the CLI help page:

$SPLUNK_HOME/bin/splunk help start

Launch Splunk Web


Navigate to:
http://mysplunkhost:8000

Use whatever host and port you chose during installation. The first time you log in to Splunk Enterprise, the default login details are: Username - admin Password - changeme Splunk Free does not have access controls.

What happens next?


Now that you've got Splunk installed on one server, here are some links to get you started:

84

Learn what Splunk is, what it does, and how it's different. Learn how to add your data to Splunk. Add and manage users. Estimate how much space you will need to store your Splunk data. Plan your Splunk deployment, from gigabytes to terabytes per day. Learn how to search, monitor, report, and more One of Splunk's biggest differences from traditional technologies is that it classifies and interprets data at search-time. Learn what this means and how to use it. If you downloaded Splunk packaged with an app (for example, Splunk + WebSphere), go to Splunk Web and select the app in Launcher to go directly to the app?s setup page. To see more information about the setup and deployment for a packaged app, search for the app name on Splunkbase.

Learn about Splunk's accessibility


Splunk is dedicated to maintaining and enhancing its accessibility and usability for users of assistive technology (AT), both in accordance with Section 508 of the United States Rehabilitation Act of 1973, and in terms of best usability practices. This topic discusses how Splunk addresses accessibility within the product for users of AT.

Accessibility of Splunk Web and the CLI


The Splunk command line interface (CLI) is fully accessible, and includes a superset of the functions available in Splunk Web. The CLI is designed for usability for all users, regardless of accessibility needs, and Splunk therefore recommends the CLI for users of AT (specifically users with low or no vision, or mobility restrictions). Splunk also understands that use of a GUI is occasionally preferred, even for non-sighted users. As a result, Splunk Web is designed with the following accessibility features: Form fields and dialog boxes have on-screen indication of focus, as supported by the Web browser. No additional on-screen focus is implemented for links, buttons or other elements that do not have browser-implemented visual focus. Form fields are consistently and appropriately labeled, and ALT text describes functional elements and images.
85

Splunk does not override user-defined style sheets. Data visualizations in Splunk Web have underlying data available via mouse-over or output as a data table, such that information conveyed with color is available without color. Most data tables implemented with HTML use headers and markup to identify data as needed. Data tables presented using Flash visually display headers. Underlying data output in comma separated value (CSV) format have appropriate headers to identify data.

Accessibility and real-time search


Splunk Web does not include any blinking or flashing components. However, using real-time search causes the page to update. Real-time search is easily disabled, either at the deployment or user/role level. For greatest ease and usability, Splunk recommends the use of the CLI with real-time functionality disabled for users of AT (specifically screen readers). Refer to "How to restrict usage of real-time search" in the Search Manual for details on disabling real-time search.

Keyboard navigation using Firefox and Mac OS X


To enable Tab key navigation in Firefox on Mac OS X, use system preferences instead of browser preferences. To enable keyboard navigation: 1. In the menu bar, click [Apple icon]>System Preferences>Keyboard to open the Keyboard preferences dialog. 2. In the Keyboard preferences dialog, click the Keyboard Shortcuts button at the top. 3. Near the bottom of the dialog, where it says Full Keyboard Access, click the All controls radio button. 4. Close the Keyboard preferences dialog. 5. If Firefox is already running, exit and restart the browser.

86

Install a Splunk Enterprise license


About Splunk licenses
Splunk takes in data from sources you designate and processes it so that you can analyze it in Splunk. We call this process indexing. For information about the indexing process, refer to "What Splunk does with your data" in the Getting Data In Manual. Splunk licenses specify how much data you can index per day. For more information about Splunk licenses, begin by reading: "How Splunk licensing works" in the Admin Manual. "Types of Splunk licenses" in the Admin Manual. "More about Splunk Free" in the Admin Manual.

Install a license
This topic discusses installing new licenses. Before you proceed, you may want to review these topics: Read "How Splunk licensing works" in the Admin Manual for an introduction to Splunk licensing. Read "Groups, stacks, pools, and other terminology" in the Admin Manual for more information about Splunk license terms.

Add a new license


To add a new license: 1. Navigate to Settings > Licensing. 2. Click Add license.

87

3. Either click Choose file and navigate to your license file and select it, or click copy & paste the license XML directly... and paste the text of your license file into the provided field. 4. Click Install. If this is the first Enterprise license that you are installing, you must restart Splunk. Your license is installed.

License violations
Violations occur when you exceed the maximum indexing volume allowed for your license. If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled. Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days, or when you apply a temporary reset license (available for Enterprise only). To obtain a reset license, contact your sales rep. Note: Summary indexing volume is not counted against your license. If you get a violation warning, you have until midnight (going by the time on the license master) to resolve it before it counts against the total number of warnings within the rolling 30-day period. During a license violation period:

88

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license. Searches to the _internal index are not disabled. This means that you can still access the Indexing Status dashboard or run searches against _internal to diagnose the licensing problem. Got license violations? Read "About license violations" in the Admin Manual or "Troubleshooting indexed data volume" from the Splunk Community Wiki. More licensing information is available in the "Manage Splunk licenses" chapter in the Admin Manual.

89

Upgrade or migrate Splunk Enterprise


How to upgrade Splunk
This topic discusses how to upgrade Splunk and its components from one version to another. In many cases, you upgrade Splunk by installing the latest package over your existing installation. On Windows systems, the installer package detects when you have a version installed and offers to upgrade it for you. Note: When upgrading Splunk, be sure to upgrade it using an administrative level account.

What's new and awesome in 6.0?


Read "Meet Splunk 6.0" in the Release Notes for a full list of the new features we've delivered in 6.0. Review the known issues in the Release Notes for a list of issues and workarounds in this release.

Always back up your existing deployment first


Get into the habit of backing up your existing deployment before any upgrade or migration. You can manage your risk by using technology that allows you to restore your Splunk install and data to a state prior to the upgrade, whether you use external backups, disk or file system snapshots, or other means. When backing up your Splunk data, consider the $SPLUNK_HOME directory, as well as any indexes outside of it. For more information about backing up your Splunk deployment, read the topics "Back up configuration information" in the Admin Manual and "Back up indexed data" in the Managing Indexers and Clusters Manual.

90

Then, read about important migration information before upgrading


Important: Before upgrading, be sure to read "About upgrading to 6.0: READ THIS FIRST" for specific migration tips and information that might affect you.

Upgrade from 5.0 and later


Splunk supports a direct upgrade from versions 5.0 and later to version 6.0. If you're upgrading from 5.0 or later, read the rest of this topic first before proceeding with the installation instructions linked below. Upgrade to 6.0 on Linux, Solaris, FreeBSD, HP-UX, AIX, and MacOS Upgrade to 6.0 on Windows

Upgrade from 4.3


Splunk also supports a direct upgrade from version 4.3 and later to version 6.0. Upgrading directly to 6.0 from versions older than 4.3 is not officially supported. If you are running a version of Splunk earlier than 4.3, then you should upgrade to 4.3 first before attempting an upgrade to 6.0. Read "About upgrading to 4.3 READ THIS FIRST" for specific details on how to upgrade to version 4.3.

Upgrade distributed deployments


If you're planning to upgrade your distributed Splunk environment, be sure to read "Upgrade your distributed environment" in the Distributed Deployment Manual for guidance on how to do so with minimal impact.

Upgrade clustered environments


Important: All nodes of a clustered Splunk environment must run the same version of Splunk. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time. Read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual for specific details.

91

Upgrade universal forwarders


Upgrading universal forwarders is a different process than upgrading full Splunk. Before upgrading your universal forwarders, be sure to read the appropriate upgrade topic for your operating system: Upgrade the Windows universal forwarder Upgrade the Unix universal forwarder To learn about interoperability and compatibility between indexers and universal forwarders, read "Indexer and universal forwarder compatibility" in the "Deployment Overview" topic of the Forwarding Data manual.

About Upgrading to 6.0 - READ THIS FIRST


This topic contains some important information and tips that you should read before upgrading to version 6.0 from an earlier version. Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.0. If you are considering an upgrade to this release, please check Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.0. Splunk Enterprise supports the following upgrade paths to Version 6.0 of the software: From version 5.0 or later to 6.0. From version 4.3 or later directly to 6.0. From version 4.3 or later to 5.0, and then from version 5.0 or later to 6.0. Upgrading to 6.0 from 4.3 and later is pretty simple, but here are a few things you should be aware of when installing the new version:

You want to know this stuff


We have changed the Splunk Enterprise user interface...significantly One of the biggest and most important things that you will notice after you upgrade to version 6.0 is the new user interface. We have transformed how you access Splunk through Splunk Web. To that end, the way you do things in Splunk Web on version 6 has changed from how you would do things in previous versions of the product.
92

For a list of some of the things that have changed in Splunk Web, read "How Splunk Web procedures have changed from version 5 to version 6" in this manual. For an introduction on how to access Splunk Web using the new interface, check out the updated Splunk Search Tutorial. We have changed a number of the Splunk terms that you've come to know Along with a changed user interface, we've also changed a number of the terms you've been used to when using Splunk. Here's a list of some of them: Manager, Splunk's main configuration interface, is now known as Settings. Launcher, the initial menu you see when you run Splunk, is now known as Home. Saved searches are now known as reports. A saved search with an alert is now known as an alert. "TSIDX stats" are now known as indexed field statistics. We have changed some application development parameters and procedures If you develop any type of Splunk app, be sure to read "Changes for Splunk app developers" to find out how to build or migrate your existing apps to work properly with version 6.

Other notable changes


Upgrade all nodes in a clustered environment at the same time All nodes of a clustered Splunk environment must run the same version of Splunk. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time. Read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual for specific details. We have increased the default amount of required available disk space for indexing and searching Prior to version 6.0, the default amount of free space Splunk needed to index and search was 2 gigabytes. When you upgrade, Splunk raises this default requirement to 5 gigabytes. Before you upgrade, make sure you have enough free space on the volume(s) that contain Splunk indexes and search dispatch
93

directories to ensure uninterrupted index and search operation. Splunk no longer uses CHECK_FOR_HEADER for field extraction from structured data files The deprecated CHECK_FOR_HEADER attribute in props.conf will no longer function for any new sourcetypes defined for structured data extraction. This means that, when you upgrade, attempts to use CHECK_FOR_HEADER will result in Splunk logging an error and disabling the associated definition. This change does not impact structured data definitions created prior to the upgrade - those definitions will continue to work with the CHECK_FOR_HEADER attribute. For information on Splunk's new structured data field extraction capabilities, read "Extract data from files with headers" in the Getting Data In Manual. We have reduced the maximum real-time search multiplier attribute in limits.conf We have reduced how many real-time searches a Splunk system can run by default. In Splunk version 5.x, you used to be able to run a number of searches equal to the following formula, based on attributes from limits.conf: Number of CPU cores * max_searches_per_cpu + base_max_searches *
max_rt_search_multiplier The max_rt_search_multiplier

attribute's default value was 3. When you upgrade, Splunk reduces the default value to 1. This means that your real-time search capacity will be effectively reduced by 66% unless you reset this attribute by editing a copy of limits.conf after the upgrade. We have extended the _internal index's retention period In an effort to provide better statistics on license usage, we have extended the retention period of the _internal index from 28 days to 30 days. When you upgrade, you might notice that Splunk uses up to an additional 7 percent of available disk space on the server which hosts that index.

94

The "Results Display Option" dialog for search queries does not retain changes through an upgrade If you make changes to the results display options for a given search query in version 5.x, Splunk does not retain those choices through an upgrade. You must make those changes again after the upgrade is complete. Some upgraded dashboards display visible axis titles where they did not before When you upgrade, some dashboards will display visible axis titles which did not exist prior to the upgrade. To address the issue, use the visualizations editor to remove the titles. View states do not persist during the upgrade If you make a change to a view state (such as adjusting the number of items to show per page in the flash timeline) and then upgrade Splunk, Splunk does not preserve the view state through the upgrade, and the default view loads when you use the upgraded version. This is because Splunk assigns each view state a module ID, which changes when you modify the view state's XML (by modifying the view). We have changed how you set the default search time range Prior to version 6, you could set the default search time range by selecting the desired entry in the flash timeline. Once you upgrade, you must use a configuration file, ui-prefs.conf, to set these default time ranges. Selecting the time range in the time range picker in a view will no longer have any affect. To learn how to use this file to set time ranges, read "Change the default selected time range" in the Search Manual. The configuration location for globally unique identifiers (GUIDs) has changed We have changed the location for the configuration of GUIDs for Splunk instances. In Splunk 6.0, instead of setting the GUID in server.conf, you must now set it in instance.cfg.

95

In props.conf, the initCrcLength attribute is now valid for sourcetype stanzas Prior to Splunk 6.0, you could only use the initCrcLength attribute in a [source::<source>] stanza type. Now, you can use this attribute in any [<sourcetype>] stanzas as well.

Notable changes for those upgrading directly from version 4.3 to version 6
We have changed how Splunk handles invalid regular expressions in monitoring stanza filters For versions 5.0.3 and later of Splunk, including version 6.0, we've changed how Splunk deals with improperly formatted regular expressions in monitoring stanza filter attributes in inputs.conf. If you supply an invalid regular expression for a filter attribute (for example, whitelist or blacklist) in a monitoring stanza, Splunk now ignores the entire stanza as being invalid, instead of ignoring only the filter attribute with the invalid regular expression. This means that Splunk will not monitor whatever data that stanza references until you fix the error and restart Splunk. Here's an example:

[monitor:///a/directory] whitelist = unclosed[class

This stanza is invalid because the whitelist attribute has an invalid value assigned to it (the "unclosed[class" regular expression is missing the right bracket (])). In version 5.0.2 and earlier, including version 4.3, Splunk monitors the files in /a/directory while ignoring the whitelist attribute.
TailingProcessor - Ignoring regular expression 'your_regex' in stanza 'your_stanza' due to 'error_message'. In version 5.0.3 and later, Splunk ignores the [monitor:///a/directory] stanza, logs an error in splunkd.log, and does not monitor the files in /a/directory: TailingProcessor - Invalid regular expression: 'your_regex' in stanza 'your_stanza' due to: error_message, ignoring this stanza.

When you upgrade, Splunk warns you of any invalid regular expressions it detects, and prompts you to fix them before attempting to complete the migration. To prevent this warning from occurring, check inputs.conf to ensure that all your monitoring stanzas have valid values before starting the upgrade.
96

Note: This change was originally introduced in Splunk 5.0.2, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0. We have deprecated the fschange monitor We have deprecated the fschange monitor input. This means that although it continues to function in version 6.0 of Splunk, it might be removed in a future version. As an alternative, you can: Learn how to monitor file system changes on Windows systems. Use the auditd daemon on *nix systems and monitor output from the daemon. Note: This change was originally introduced in Splunk 5.0, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0. Forwarding method now defaults to auto-loadbalancing Splunk 6.0 now makes auto-load balancing the default method of forwarding data to multiple indexers at one time. Note: This change was originally introduced in Splunk 5.0, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0. Splunk now offers integrated PDF printing With version 6.0 of Splunk comes integrated PDF printing. This means that PDF printing no longer requires a Linux Splunk instance. There are some things to pay attention to when upgrading, however - particularly with regards to views that contain Advanced XML. Additional information can be found in "Generate PDFs of your reports and dashboards" in the new Reporting Manual. Note: This feature was originally introduced in Splunk 5.0, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0. Splunk uses more *nix file descriptors Splunk 6.0 uses more file descriptors on *nix filesystems than version 4.3 did when monitoring files.

97

Before you upgrade, consider increasing the number of open file descriptors your system can use with the ulimit command. Note: This change was originally introduced in Splunk 5.0, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0. Splunk's database-checking utility might use more resources After you upgrade to 6.0, Splunk's database consistency checking utility (fsck) might use more system resources (in particular, disk I/O) when they run, particularly if bloom filters are being created at the same time. Note: This change was originally introduced in Splunk 5.0, but we include it here for users who plan to upgrade directly from version 4.3 to version 6.0.

Windows-specific changes
Upgrading a Windows universal forwarder can result in the collection of unwanted data under certain conditions Under certain conditions, upgrading a Splunk universal forwarder from Versions 4.3 or 5 to Version 6 can result in the unexpected collection of Windows data, which can impact your licensing volume. Be sure to read "Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade" in the Release Notes for a fix to this specific issue. The Windows Event Log input is now modular and has additional filtering capabilities The Windows event log input gets two new improvements: The input, which until now had its own input processor, is now modular. This helps increase its efficiency and removes the limit of 64 concurrent Event Log channels. Since the Windows Event Log input already uses inputs.conf, there should be no impact to your configuration by this change. However, we suggest that you review any .conf files post-upgrade as a precautionary measure. Additionally, the input receives several new attributes which allow you to filter events based on their Windows Event IDs and suppress event log text.

98

There are also certain situations where, if you use a deployment server to control configurations, some versions of universal forwarder might collect duplicate events. See "Upgrade deployment servers and installed apps that use 6.0 stanzas might generate duplicate events" below for additional information. Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events In order to maintain interoperability, Splunk does not remove an old-style Windows Event Log stanza during an upgrade to version 6. Instead, it notifies you that you need to remove them yourself manually. This is particularly important for deployment servers or universal forwarders that host apps that use 6.0 style configuration file stanzas. When you upgrade, if you do not remove the old-style stanzas, Splunk might generate duplicate events. Splunk on Windows introduces three new inputs: Host, printer, and network monitoring New for version 6.0, Splunk introduces three new Windows-only modular inputs: Host monitoring, print monitoring, and network monitoring. Host monitoring allows you to collect information about a Windows system, including operating system build and version, system architecture and memory, running processes and services, and installed applications. Print monitoring lets you gather information on your printer subsystem, including installed printers, print drivers and ports, and also allows you to check print jobs. Network monitoring lets you collect information on the configuration and status of the networking subsystem on Windows computers. For additional information on these three new inputs, read the following topics in the Getting Data In Manual: Monitor Windows host information Monitor Windows print subsystem information Monitor Windows network information Windows users now have a file monitoring input that does not use file handles

99

On Windows instances of Splunk only, a new file monitoring input, MonitorNoHandle allows users to monitor files without using system file handles. This addresses problems with cases where a file handle prevents a file from being closed properly, such as what occurs with Microsoft's DNS server logs when the DNS server attempts to roll them. The MonitorNoHandle input is only accessible by editing inputs.conf. You cannot enable this input with Splunk Web. The Windows Registry and Active Directory inputs are now modular In our ongoing efforts to streamline configuration files, we have made the Windows Registry monitor and Active Directory inputs modular. This means that, among other things, instead of using separate configuration files, these inputs now use inputs.conf for configuration. When you upgrade, settings will get migrated from the existing configuration files to inputs.conf. Splunk will migrate the following files during the upgrade: Registry monitoring: regmon-filters.conf Active Directory: admon.conf What happens after you upgrade: Registry monitoring stanzas will appear in inputs.conf as [WinRegMon://<stanza name>]. Active Directory stanzas will appear in inputs.conf as [admon://<stanza name>]. Be sure to review the updates to inputs.conf after the upgrade is complete. Active Directory monitoring time formats have changed The time stamp format that Splunk's Active Directory monitoring input logs in has changed. In Splunk 6.0 and later, AD monitoring inputs log events as follows:
pwdLastSet=07:03.12 pm, Mon 04/30/2012

If you use Active Directory monitoring inputs, you might be impacted by this change after you upgrade, particularly if you have configured alerts that rely on the old time stamp format.

100

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade There is no supported upgrade path from a Splunk 5.x system with enabled Secure Sockets Layer (SSL) certificates to a Splunk 6.0 system with FIPS enabled.

How Splunk Web procedures have changed from version 5 to version 6


This topic lists some of the major differences in the way you accomplish tasks in Splunk Web from previous versions to version 6.

What's changed?
The table below shows the major differences in Splunk Web process from previous versions of Splunk to version 6. Procedure/Task How you used to do it How you do it now In 6.x, Splunk launches with Home. In Home, you can access Apps directly, Add data, or access the Manage data page.

In 5.x, the Splunk launcher has two tabs: Welcome and First time login to Splunk Splunk Home. In Welcome, you can Add data and Launch search app.

Returning to Home

In 6.x, you click the In 5.x, to return to Splunk logo in the Home/Welcome you upper left of the selected the Home app from navigation bar. Doing the App menu. so always returns you to Home. In 5.x you accessed your account information (change full name, email address, default app, timezone, password) under Manager > Users and authentication > Your account.
101

Edit account information

In 6.x, you access it directly from the Splunk navigation under Administrator > Edit account.

Logout from Splunk

In 5.x, you clicked the "Logout" button on the navigation bar. In 5.x, you edited all objects and system configurations from the Manager page or from the "Administrator" link on the navigation bar.

In 6.x, you select Administrator -> Logout In 6.x, you access these configurations directly from the Settings menu. There is no separate Manager page. In 6.x, you use the App menu on the navigation bar or the options under the App panel from Home. Search Reports Dashboards In the navigation bar, you select "Triggered Alerts" In 6.x, you can only view the timeline if you're looking at the Events tab after you run a search.

Manager/Settings

Manage Apps: Edit permissions for installed In 5.x, you used Manager -> apps, create a new app, Apps or selected from the or browse Splunkbase for App menu. community apps Search/? 5.x -> 6.x Summary, Search Searches & Reports Dashboards & Views Find the list of alerts In the navigation bar, you selected "Alerts". In 5.x, the timeline was always visible as part of the dashboard after you ran a search. You can hide the timeline.

Find the timeline

Changes for Splunk App developers


If you develop apps for Splunk, read this topic to find out what changes we've made to how Splunk works with apps in version 6.0, and how to migrate any existing apps to work with the new version.

We have removed support for FlashCharts in simple XML dashboards


We no longer support using FlashCharts in simple XML dashboards. This change provides a more consistent dashboard user experience for iOS devices and when users need to create PDFs. When users upgrade to version 6 of Splunk:

102

Splunk will silently ignore any charting options that previously triggered the rendering of FlashCharts. No actionable requirement here, but note that Splunk might render some charts differently in version 6.0 as a result.

We no longer support viewstates in simple XML


We have removed Splunk's capability to support view states in simple XML. This means that, when users upgrade: Any chart options that were saved in viewstates will no longer be layered in dashboard rendering. Users will need to manually migrate these chart options to the simple XML view configuration. In addition, dynamic chart resizing no longer persists beyond the page view. Users that are interested in persistence should save this in simple XML (<option name=height>300px</option>)

We no longer allow Splunk's Search page to be restyled


The new Search page in Splunk 6.0 can no longer be customized, as it does not load any custom JavaScript or CSS.

We have added restrictions to how you can style the AppBar


For consistency between apps, Splunk 6.0 now constrains AppBar customization to: color To set a color in the AppBar, edit the navigation menu default.xml (for example, <nav color="#0072C6">). logo If no logo file is found, the app name is displayed instead.

We have made changes to support for custom JavaScript and CSS


Version 6 of Splunk gets a refactored rendering engine, and as a result, many of the function calls that the application.js and application.css files use no longer work after users upgrade.

103

For app backward compatibility, in Splunk 6, simple XML dashboards no longer load application.js and application.css automatically. Instead, simple XML dashboards in Splunk 6 load dashboard.js and dashboard.css automatically. You can control the loading of specific JavaScript and CSS files within the configuration of each simple XML dashboard. You control this using the top-level attributes (<dashboard script=my_script.js stylesheet=my_stylesheet.css>). This design approach allows you to use application.js and application.css for previous versions of Splunk, as well as dashboard.js and dashboard.css for Splunk 6.0 and later.

For security purposes, we now prohibit JavaScript within the default.xml file for dashboard navigation menus
We no longer allow JavaScript to run in a dashboard's navigation menu. This means that, when users upgrade: Any app that has packaged the "Create new dashboard..." link within their navigation menu (like the old search app) will find this to no longer work in Splunk 6.0. You should remove this from your default.xml configuration.

Splunk now has a new "search" view page


Splunk 6.0 introduces a new search page "search" as a replacement to the existing Flash timeline. While the product still contains Flash timeline, you should change all references to flashtimeline within an app to "search" instead. This includes references within navigation menu's default.xml. It also includes references within any dashboard views (mainly for linkView options).

We have made new global pages available to add to your app


Splunk 6.0 provides easier access to reports, alerts, dashboards, and data models packaged within your app. We provide this access through via new listing pages for each of these objects (dashboards, reports, alerts, data_models). To add these views, edit your navigation menu's default.xml.

104

We have added the ability to run search queries from the Home page for your app
Splunk 6.0 enables end-users to run a search query from within the Home page, and target specific apps. You can allow end-users to directly target your app by configuring your app's navigation menu default.xml. To do this, edit default.xml and add the target view (<nav search_view="search">).

We have introduced "Data Models"


Splunk 6.0 introduces data models that you can package within your apps. To add data models to your apps, package them within
$SPLUNK_HOME/etc/apps/<app_name>/default/data/models

We have made changes to how Splunk works with custom HTML dashboards
Splunk 6.0 has added knowledge objects to be included in default.meta, and now supports dashboard views written entirely in HTML (by leveraging the new splunkjs library). You can add custom HTML dashboards by packaging them within $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/html and referencing them in default.meta with the object name [html].

We have added interval support for modular inputs


Prior to version 6, Splunk invoked any configured modular inputs when the Splunk daemon started. In version 6, splunkd now checks the inputs at specific intervals. You can choose whether or not you want to refactor your script to use this interval support.

We have changed where Splunk looks for the icon files


In versions of Splunk prior to 6.0, Splunk looked in
$SPLUNK_HOME/etc/apps/<your_app>/appserver/static. When users Splunk then looks in $SPLUNK_HOME/etc/apps/<your_app>/static.

upgrade,

105

We now require higher-resolution application logos and icons


In order to support displays with pixel density ratio of greater than 1:1 (as is the case for systems like the MacBook Pro with Retina Display), you must now use higher resolution icons and/or logos alongside the standard size icons and logos. The file names for these higher-resolution icons and logos must be appLogo_2x.png and appIcon_2x.png. When packaging your application icons and logos, put them in $SPLUNK_HOME/etc/apps/<app_name>/static. Your application logo has the following additional specifications: The background must be transparent. Its width can vary, but: Its height, with margins, must be no more than 40 pixels (80 pixels for the high resolution version). Within this 40-pixel limit, there must be a margin of at least 10 pixels on the top and bottom sides (20 pixels for the high resolution version) which leaves a maximum of 20 pixels of height available for your logo. There is, however, some leeway to go into the margin area, particularly if the logo has any bits that stick up or down or it's particularly complex, square or round.

106

Upgrade to 6.0 on UNIX


This topic describes the procedure for upgrading your Splunk instance from versions 4.3.x or 5.0.x or later to 6.0.

107

Before you upgrade


Make sure you've read this information before proceeding, as well as the following: Back your files up Before you perform the upgrade, we strongly recommend that you back up all of your files, including Splunk configurations, indexed data, and binaries. Splunk does not provide a means of downgrading to previous versions; if you need to revert to an older Splunk release, just reinstall it. For information on backing up data, read "Back up indexed data" in the Managing Indexers and Clusters Manual. For information on backing up configurations, read "Back up configuration information" in the Admin manual.

How upgrading works


After performing the installation of the new version, Splunk does not actually make changes to your configuration until after you restart it. You can run the migration preview utility at that time to see what will be changed before the files are updated. If you choose to view the changes before proceeding, a file containing the changes that the upgrade script proposes to make is written to
$SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Steps for upgrading


1. Execute the $SPLUNK_HOME/bin/splunk stop command. Important: Make sure no other processes will start Splunk automatically (such as Solaris SMF). 2. To upgrade and migrate from version 4.3.x and later, install the Splunk package over your existing Splunk deployment: If you are using a .tar file, expand it into the same directory with the same ownership as your existing Splunk instance. This overwrites and replaces matching files but does not remove unique files. Note: AIX tar will fail to correctly overwrite files when run as a user other than root. Use GNU tar (gtar) to avoid this problem.
108

If you are using a package manager, such as RPM, type rpm -U


splunk_package_name.rpm

If you are using a .dmg file (on Mac OS X), double-click it and follow the instructions. Be sure to specify the same installation directory as your existing installation. 3. Execute the $SPLUNK_HOME/bin/splunk start command. The following output is displayed:

This appears to be an upgrade of Splunk. -------------------------------------------------------------------------------Splunk has detected an older version of Splunk installed on this machine. To finish upgrading to the new version, Splunk's installer will automatically update and alter your current configuration files. Deprecated configuration files will be renamed with a .deprecated extension. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files, choose 'y'. If you want to see what changes will be made before you proceed with the upgrade, choose 'n'. Perform migration and upgrade without previewing configuration changes? [y/n]

4. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files, or proceed with the migration and upgrade right away. 5. If you choose to view the expected changes, the script provides a list. 6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again. Note: You can complete Steps 3 to 5 in one line: To accept the license and view the expected changes (answer 'n') before continuing the upgrade:

109

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

To accept the license and begin the upgrade without viewing the changes (answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Upgrade to 6.0 on Windows


This topic describes the procedure for upgrading your Windows Splunk instance from versions 4.3.x or 5.0.x and later to 6.0. You can upgrade using the GUI installer, or by running the msiexec utility on the command line as described in "Install on Windows via the command line".

Before you upgrade


Make sure you've read this information before proceeding, as well as the following: Make sure you specify the same domain user When upgrading, you must explicitly specify the same domain user that you specified during first time install. If you do not specify the same user, Splunk will default to using the Local System User. If you accidentally specify the wrong user during your installation, use these instructions to switch to the correct user before starting Splunk. Don't change the ports Splunk does not support changing the management port and/or the HTTP port when upgrading. Back your files up Before you perform the upgrade, we strongly recommend that you back up all of your files, including Splunk configurations, indexed data and binaries. Splunk does not provide a means of downgrading to previous versions; if you need to revert to an older Splunk release, just reinstall it.

110

For information on backing up data, read "Back up indexed data" in the Managing Indexers and Clusters Manual. For information on backing up configurations, read "Back up configuration information" in the Admin manual. Note: When you upgrade to Splunk 6.0 on Windows, the installer overwrites any custom certificate authority (CA) certificates you have created in %SPLUNK_HOME%\etc\auth. If you have custom CA files, make sure to back them up before you upgrade. After the upgrade, you can copy them back into %SPLUNK_HOME%\etc\auth to restore them. After you have restored the certificates, restart Splunk. Don't attempt to downgrade after you've upgraded After you upgrade Splunk to version 6, if you need to downgrade, you must uninstall version 6 of Splunk and then reinstall the previous version of Splunk that you were using. Do not attempt to install over a Splunk 6 installation with an installer from a previous version. Doing so can result in a corrupt instance and data loss.

Upgrade using the GUI installer


1. Stop Splunk by either using the Services control panel or executing the %SPLUNK_HOME%\bin\splunk stop command. 2. Download the new MSI file from the Splunk download page. 3. Double-click the MSI file. The Welcome panel is displayed. Follow the on-screen instructions to upgrade Splunk. For information about each panel, refer to the installation instructions. 4. Splunk will start up by default when you complete the installation. A log of the changes made to your configuration files during the upgrade is placed in %TEMP%.

Upgrade using the command line


1. Stop Splunk either by using the Services control panel or executing the %SPLUNK_HOME%\bin\splunk stop command. 2. Download the new MSI file from the Splunk download page.
111

3. Use the instructions in "Install on Windows via the command line". If Splunk is running as a user other than the Local System user, you must explicitly specify this user in your command-line instruction. You can use the LAUNCHSPLUNK flag to specify whether Splunk should start up automatically or not when you're finished, but you cannot change any other settings. DO NOT change the ports (SPLUNKD_PORT and WEB_PORT) at this time. 4. Depending on your specification, Splunk may start automatically when you complete the installation. A log of the changes made to your configuration files during the upgrade is placed in %TEMP%. Start Splunk On Windows, Splunk is installed by default into %SYSTEMDRIVE%\Program Files\Splunk and is started by default. You can start and stop the following Splunk processes via the Windows Services control panel: Server process: splunkd Web interface process: splunkweb You can also start, stop, and restart both processes at once by going to %SYSTEMDRIVE%\Program Files\Splunk\bin and typing

splunk [start|stop|restart]

Migrate a Splunk instance


This topic discusses the procedure for migrating a Splunk instance from one server, operating system, architecture, or filesystem to another, while maintaining the indexed data, configurations, and users. This is different than upgrading an instance, which is merely installing a new version on top of an older one (though, an upgrade is a form of migration).

112

When to migrate
There are a number of reasons to migrate a Splunk install: Your Splunk installation is on a server that you wish to retire or reuse for another purpose. Your Splunk installation is on an operating system that either your organization or Splunk no longer supports, and you want to move it to an operating system that is supported. You are switching operating systems (for example, from *nix to Windows or vice versa) You want to move your Splunk installation to a different file system. Your Splunk installation is on 32-bit architecture, and you wish to move it to a 64-bit architecture for better performance. Your Splunk installation is on a system architecture that you plan to no longer support, and you want to move it to an architecture that you do support.

What to consider when migrating


While migrating a Splunk instance is simple in many cases, there are some important considerations to note when doing so. Depending on the type, version, and architecture of the systems involved in the migration, you might need to consider more than one of these items at a time. When migrating a Splunk instance, be sure to note: Endianness If you indexed data with a version of Splunk earlier than 4.2, the index files that comprise that data are sensitive to an operating system's endianness, which is the way the system organizes the individual bytes of a binary file (or other data structure). Some operating systems are big-endian (meaning they store the most significant byte of a binary file first), and others are little-endian (meaning they store the least significant byte first). These operating systems create binary files of the same endianness. Index bucket files are binary, and thus, for versions of Splunk earlier than 4.2, are the same endianness of the operating system that created them. For a listing of processor architectures and the endianness they use, refer to the Endianness article on Wikipedia.
113

When you migrate a pre-4.2 Splunk instance, in order for the destination system to be able to read the migrated data, you must transfer index files between systems with the same kind of endianness (for example, a NetBSD system running on a SPARC processor to a Linux system also running on a SPARC processor.) If you can't move index between systems with the same endianness (for example, when you want to move from a system that's big-endian to a system that's little-endian), then you must use alternative methods to move the data. You can move the data by forwarding it from the big-endian system to the little-endian system. Then, once you have forwarded all the data, you can retire the big-endian system. You can export the data from the big-endian system using Splunk's exporttool CLI command to comma-separated values (CSV) file, then import the CSV data into the little-endian system with the importtool CLI command. Read "Export and import index data between systems using exporttool/importtool" in this topic for additional information. Caution: This is an advanced procedure, and can take an extremely long amount of time, depending on how much data needs to be transferred. If you want to use this method, we strongly suggest that you consult Splunk's Professional Services team for assistance. Index files created by Splunk versions 4.2 and later do not have problems with endianness. Differences in Windows and Unix path separators The path separator (the character used to separate individual directory elements of a path) on *nix and Windows is different. When moving index files between these operating systems, you must make sure that the path separator you use is correct for the operating system you want to move the Splunk installation to. You must also make sure that you update any Splunk configuration files (in particular, indexes.conf) to use the correct path separator. Windows permissions When moving a Splunk instance between Windows servers, make sure that the destination server has the same rights assigned to it that the source server does. This includes but is not limited to the following: Ensure that the file system and/or share permissions on the target server are correct and allow access for the user that runs Splunk.
114

If Splunk runs as an account other than the Local System user, that the user is a member of the local Administrators group and has the appropriate Local Security Policy or Domain Policy rights assigned to it by a Group Policy object Architecture changes If you downgrade the architecture that your Splunk instance runs on (for example, 64-bit to 32-bit), you might experience degraded search performance on the new server due to the larger files that the 64-bit operating system and Splunk instance created. Distributed and clustered Splunk environments When you want to migrate data on a distributed Splunk instance (that is, an indexer that is part of a group of servers that a search head has been configured to search for events, or a search head that's been configured to search indexers for data), the you should remove the instance from the distributed environment before attempting to migrate it. Bucket IDs and potential bucket collision If you migrate a Splunk instance to another Splunk instance that already has existing indexes with identical names, you must make sure that the individual buckets within those indexes have bucket IDs which do not collide. Splunk will not start if it encounters indexes with buckets that have colliding bucket IDs. When copying index data, you might need to rename the copied bucket files in order to prevent this condition.

How to migrate
To migrate your system from one version of Splunk to another, follow these instructions: 1. Stop Splunk on the server from which you want to migrate. 2. Copy the entire contents of the $SPLUNK_HOME directory from the old server to the new server. Important: Be sure to note any considerations above which might apply to you when copying the files. 3. Install the appropriate version of Splunk for the target platform.
115

Note: On *nix systems, you can extract the tar file you downloaded directly over the copied files on the new system, or use your package manager to upgrade using the downloaded package. On Windows systems, the installer updates the Splunk files automatically. 4. Confirm that index configuration files (indexes.conf) contain the correct location and path specification for any non-default indexes. 5. Start Splunk on the new Splunk instance. Note: On *nix systems, Splunk detects whether you are migrating and prompts you on whether or not to upgrade at this time. 6. Log into Splunk. You should be able to log in with your existing credentials. 7. Once logged in, confirm that your data is intact by searching it.

How to move index buckets from one server to another


If you're retiring a Splunk server and immediately moving the data to another Splunk server, you can move individual buckets of an index between servers, as long as: The source and target systems have the same endianness. You are not trying to restore a bucket created by a 4.2 or greater version of Splunk to a version of Splunk less than 4.2. To move a bucket from one server to another: 1. Roll any hot buckets on the source system from hot to warm. 2. On the target system, create index(es) that are identical to the ones on the source system. Note: Review indexes.conf on the old system to get a list of the indexes on that system. 3. Copy the index buckets from the source system to the target system. Note: When copying individual bucket files, you must make sure that no bucket IDs conflict on the new system. Otherwise, Splunk will not start. You might need
116

to rename individual bucket directories after you move them from the source system to the target system. 4. Restart Splunk.

Migrate to the new Splunk licenser


This topic discusses how to migrate your license configuration from a pre-4.2 Splunk deployment to the 4.2+ licenser model. Note: This topic does not cover upgrade of an entire Splunk deployment. Review "How to upgrade Splunk" in the Installation Manual before you upgrade your Splunk deployment. Before you proceed, you might want to review these topics: Read "How Splunk licensing works" in the Admin manual for an introduction to Splunk licensing. Read "Groups, stacks, pools, and other terminology" in the Admin manual for more information about Splunk license terms.

Old licenses
Migrating from an older version most likely puts you in one of these two categories: If you are currently running Splunk 4.0 or later, your license will work in 4.2 and later. If you're migrating from a version older than 4.0, you must contact your Splunk Sales representative and arrange for a new license. Splunk also recommends you review the migration documentation before proceeding with the migration. Depending on how old your version of Splunk is, you might want to migrate in multiple steps (for example, first to 4.0, then 4.1, 4.2, and finally 5.0+) to maintain your configurations. Migrating search heads If your search heads were previously using old forwarder licenses, they will be automatically converted to be in the Download-trial group. Before you proceed, Splunk recommends adding your search heads to an established Enterprise license pool. Even if they have no indexing volume, this will enable Enterprise
117

features, especially alerting and authentication.

Migrate a standalone instance


If you've got a single 4.1.x Splunk indexer and it has a single license installed on it, you can just proceed as normal with your upgrade. Follow the instructions in the Installation Manual for your platform, and be sure to read the "READ THIS FIRST" documentation first. Your existing license will work with the new licenser, and will show up as a valid stack, with the indexer as a member of the default pool.

Migrate a distributed indexing deployment


If you've got multiple 4.1.x indexers, each with their own licenses, follow these high-level steps in this order to migrate the deployment: 1. Designate one of your Splunk instances as the license master. If you've got a search head, this is likely a good choice. 2. Install or upgrade the Splunk instance you have chosen to be the license master, following the standard instructions in the Installation Manual. 3. Configure the license master to accept connections from the indexers as desired. 4. Upgrade each indexer one at a time, following these steps: Upgrade an indexer to 5.0 following the instructions in the Installation Manual. It will be operating as a stand-alone license master until you perform the following steps. Make a copy of the indexer's Enterprise license file (pre-4.2 license files are located in $SPLUNK_HOME/etc/splunk.license on each indexer) and install it onto the license master, adding it to the stack and pool to which you want to add the indexer. Configure the indexer as a license slave and point it at the license master. On the license master, confirm that the license slave is connecting as expected by navigating to Manager > Licensing and looking at the list of indexers associated with the appropriate pool. Once you've confirmed the license slave is connecting as expected, proceed to upgrade the next indexer, following the same steps.
118

Migrate forwarders If you have deployed light forwarders, review the information in this chapter about the universal forwarder in the Forwarding Data Manual. You can upgrade your existing light forwarders to the universal forwarders, no licensing configuration is required--the universal forwarder includes its own license. If you have deployed a heavy forwarder (a full instance of Splunk that performs indexing before forwarding to another Splunk instance), you can treat it like an indexer--add it to a license pool along with the other indexers.

119

Uninstall Splunk Enterprise


Uninstall Splunk
This topic discusses how to remove Splunk from your system. Before you uninstall, stop Splunk. Navigate to $SPLUNK_HOME/bin and type ./splunk stop (or just splunk stop on Windows).

Uninstall Splunk with your package management utilities


Use your local package management commands to uninstall Splunk. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory. Note: $SPLUNK_HOME refers to the Splunk installation directory. On Windows, this is C:\Program Files\Splunk by default. For most Unix platforms, the default installation directory is /opt/splunk; for Mac OS, it is /Applications/splunk.
RedHat Linux

To uninstall Splunk on RedHat:

rpm -e splunk_product_name Debian Linux

To uninstall Splunk on Debian:

dpkg -r splunk

To purge (delete everything, including configuration files) on Debian:

dpkg -P splunk

120

FreeBSD

To uninstall Splunk from the default location on FreeBSD:

pkg_delete splunk

To uninstall Splunk from a different location on FreeBSD:

pkg_delete -p /usr/splunk splunk Solaris

To uninstall Splunk on Solaris:


pkgrm splunk HP-UX

To uninstall Splunk on HP-UX, you must stop Splunk, disable boot-start (if you configured it), and then delete the Splunk installation. Note: The $SPLUNK_HOME variable refers to the directory where you installed Splunk. 1. Stop Splunk:

$SPLUNK_HOME/bin/splunk stop

2. If you enabled boot-start, run the following command as root:

$SPLUNK_HOME/bin/splunk disable boot-start

3. Delete the Splunk installation directories:

rm -rf $SPLUNK_HOME

Other things you may want to delete: If you created any indexes and did not use the Splunk default path, you must delete those directories as well.
121

If you created a user or group for running Splunk, you should also delete them.
Windows

To uninstall Splunk on Windows: Use the Add or Remove Programs option in the Control Panel. In Windows 7 and Windows Server 2008, that option is available under Programs and Features. You can also uninstall Splunk from the command line by using the msiexec executable against the Splunk installer package:

C:\> msiexec /x splunk-<version>-x64.msi

Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Uninstall Splunk manually


If you can't use package management commands, use these instructions to uninstall Splunk. Note: These instructions will not remove any init scripts that have been created. 1. Stop Splunk.

$SPLUNK_HOME/bin/splunk stop

2. Find and kill any lingering processes that contain "splunk" in its name. For Linux and Solaris:

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

For FreeBSD and Mac OS

122

kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

3. Remove the Splunk installation directory, $SPLUNK_HOME. For example:

rm -rf /opt/splunk

Note: For Mac OS, you can also remove the installation directory by dragging the folder into the trash. 3. Remove any Splunk datastore or indexes outside the top-level directory, if they exist.

rm -rf /opt/splunkdata

4. Delete the splunk user and group, if they exist. For Linux, Solaris, and FreeBSD:

userdel splunk groupdel splunk

For Mac OS: You can use the System Preferences > Accounts panel to manage users and groups. For Windows: Open a command prompt and run the command msiexec /x against the msi package that you installed.

123

Reference
PGP Public Key
Following is the Pretty Good Privacy (PGP) public key for Splunk.

-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v1.4.1 (GNU/Linux) mQGiBEbE21QRBADEMonUxCV2kQ2oxsJTjYXrYCWCtH5/OnmhK5lT2TQaE9QUTs+w nM3sVInQqwRwBDH2qsHgqjJS0PIE867n+lVuk0gSVzS5SOlYzQjnSrisvyN452MF 2PgetHq8Lb884cPJnxR6xoFTHqOQueKEOXCovz1eVrjrjfpnmWKa/+5X8wCg/CJ7 pT7OXHFN4XOseVQabetEbWcEAIUaazF2i2x9QDJ+6twTAlX2oqAquqtBzJX5qaHn OyRdBEU2g4ndiE3QAKybuq5f0UM7GXqdllihVUBatqafySfjlTBaMVzd4ttrDRpq Wya4ppPMIWcnFG2CXf4+HuyTPgj2cry2oMBm2LMfGhxcqM5mpoyHqUiCn7591Ra/ J2/FA/0c2UAUh/eSiOn89I6FhFOicT5RPtRpxMoEM1Di15zJ7EXY+xBVF9rutqhR 5OI9kdHibYTwf4qjOOPOA7237N1by9GiXY/8s+rDWmSNKZB+xAaLyl7cDhYMv7CP qFTutvE8BxTsF0MgRuzIHfJQE2quuxKJFs9lkSFGuZhvRuwRcrQgS2ltIFdhbGxh Y2UgPHJlbGVhc2VAc3BsdW5rLmNvbT6IXgQTEQIAHgUCRsTbVAIbAwYLCQgHAwID FQIDAxYCAQIeAQIXgAAKCRApYLH9ZT+xEhsPAKDimP8sdCr2ecPm8mre/8TK3Bha pQCg3/xEickiRKKlpKnySUNLR/ZBh3m5Ag0ERsTbbRAIAIdfWiOBeCj8BqrcTXxm 6MMvdEkjdJCr4xmwaQpYmS4JKK/hJFfpyS8XUgHjBz/7zfR8Ipr2CU59Fy4vb5oU HeOecK9ag5JFdG2i/VWH/vEJAMCkbN/6aWwhHt992PUZC7EHQ5ufRdxGGap8SPZT iIKY0OrX6Km6usoVWMTYKNm/v7my8dJ2F46YJ7wIBF7arG/voMOg1Cbn7pCwCAtg jOhgjdPXRJUEzZP3AfLIc3t5iq5n5FYLGAOpT7OIroM5AkgbVLfj+cjKaGD5UZW7 SO0akWhTbVHSCDJoZAGJrvJs5DHcEnCjVy9AJxTNMs9GOwWaixfyQ7jgMNWKHJp+ EyMAAwYH/RLNK0HHVSByPWnS2t5sXedIGAgm0fTHhVUCWQxN3knDIRMdkqDTnDKd qcqYFsEljazI2kx1ZlWdUGmvU+Zb8FCH90ej8O6jdFLKJaq50/I/oY0+/+DRBZJG 3oKu/CK2NH2VnK1KLzAYnd2wZQAEja4O1CBV0hgutVf/ZxzDUAr/XqPHy5+EYg96 4Xz0PdZiZKOhJ5g4QjhhOL3jQwcBuyFbJADw8+Tsk8RJqZvHfuwPouVU+8F2vLJK iF2HbKOUJvdH5GfFuk6o5V8nnir7xSrVj4abfP4xA6RVum3HtWoD7t//75gLcW77 kXDR8pmmnddm5VXnAuk+GTPGACj98+eISQQYEQIACQUCRsTbbQIbDAAKCRApYLH9 ZT+xEiVuAJ9INUCilkgXSNu9p27zxTZh1kL04QCg6YfWldq/MWPCwa1PgiHrVJng p4s= =Mz6T -----END PGP PUBLIC KEY BLOCK-----

Installing the key


Copy and paste the key into a file. Install the key using:

rpm --import <filename>

124