System admin

The Splunk Enterprise installation package can be used to install most Splunk server components. The Universal Forwarder (UF) installation package is a lighter version of Splunk that is simply used to forward data to indexers. The other options are not existing packages.

On Windows, Splunk is set to start automatically on boot. On Linux, you must manually run a version of the splunk enable boot-start command.

On Linux, the default Splunk installation path (SPLUNK_HOME) is /opt/splunk. The default Splunk database path (SPLUNK_DB) where indexes are stored is /opt/splunk/etc/var/lib.

Port 8089 is used by splunkd by default.
Port 8000 is the default for Splunk Web, and port 9997 is often used as a Splunk listening port.

It is recommended to install the MC on it’s own system. If collocated with another Splunk component, a License Manager or a smaller Deployment Servers (environments with < 50 clients) is most recommended. Avoid Search Heads and Indexers.

Starting with Splunk 9.0, the MC provides Splunk Assist, a cloud-connected service for Splunk Enterprise and Splunk Cloud that leverages telemetry data to generate insights in real time. Splunk Assist uses helper packages such as AppAssist, CertAssist and ConfigAssist.

Splunk Diag is available from any Splunk instance.

Events are measured as the data (full size) that flows through the parsing pipeline per day. Metrics measurement is capped at 150 bytes per metric event. Both types of data input draw from the same license quota.

Search Heads, Indexers, Heavy Forwarders, Deployment Server and other Splunk Enterprise instances require the Enterprise license even if they are not ingesting data. Universal Forwarders do not require an Enterprise license to be installed.

Indexing that exceeds the allocated daily quota in a pool is an alert. An alert not fixed by midnight turns into a warning. 5 or more warnings on an enforced Enterprise license (or 3 warnings on a Free license) in a rolling 30-day period is a violation.