This process should take less than 5 minutes to complete but does require a Splunk restart. Please do not attempt to use the Prelert app before Splunk has been restarted.

The Prelert App for Splunk is distributed as a single file: prelert.tar.gz

This page describes three ways to install the app. If you are using search head clustering (SHC) you must follow the third set of instructions.

Installing using Splunkweb

  1. Make sure you are logged in as a user with the “admin” role
  2. On the App menu select Manage Apps
  3. Click the Install app from file button
  4. Choose file prelert.tar.gz
  5. Click Upload
  6. Restart Splunk when requested

Please note that on unusually slow or busy machines Splunkweb may time out even though the install has completed successfully. Refresh the browser to check. If the installation continues to fail, then please follow the command line instructions below.

Installing using the command line

The following applies to an initial install only, not an upgrade.

  1. Log onto the Splunk server with admin privileges

  2. Run the following command:

    > $SPLUNK_HOME/bin/splunk install app /path/to/prelert.tar.gz
  3. If you are asked to authenticate then do so as a user with the admin role

  4. Restart Splunk:

    > $SPLUNK_HOME/bin/splunk restart

Installing using an SHC deployer

  1. Expand the new version of the Anomaly Detective app on your deployer machine:

    > cd $SPLUNK_HOME/etc/shcluster/apps
    > tar zxvf /path/to/prelert.tar.gz
  2. Add your license file to the app to be deployed:

    > cp /path/to/license $SPLUNK_HOME/etc/shcluster/apps/prelert/lic

    (If you forget this step it’s not a disaster, but you’ll then have to manually install your license on every search head in the cluster.)

  3. Push the new app to your search head cluster:

    > $SPLUNK_HOME/bin/splunk apply shcluster-bundle -target "https://<searchhead-in-cluster>:8089" -auth admin:changeme
  4. Answer y when informed that you will trigger rolling restarts of the cluster

See also