From Splunk Wiki
Running Multiple Splunk Instances on Windows
Normally, Splunk installed on a Windows machine runs as a defined service. That's appropriate for most installations and is easiest to manage. However, there may be situations where either multiple Splunk instances, or running Splunk not as a service, is desirable. To do that, you need to run Splunk without an interactive console, and ideally schedule Splunk as a task so it can execute without a user session. If you are running multiple Splunks, you'll also need to change the service port and optionally the web interface port to prevent conflicts between your instances.
To launch Splunk without a user session or console, the command is "splunk.exe start splunkd --nodaemon". That will start an instance of splunkd with the configuration in the downstream directory structure. Optionally, you can also start splunkweb to enable the web UI with "splunk.exe start splunkweb --nodaemon"
In order to be able to see and gracefully control the start and stop of your non-service based Splunk, creating a Windows scheduled task is recommended. Here is a sample task schedule that will start Splunk on a remote host when the machine starts up:
schtasks /create /s %HOSTNAME% /tn %SERVICENAME% /tr "\%SPLUNKHOME%\bin\splunk.exe start splunkd --nodaemon" /sc onstart /ru%DOMAIN%\%USER% /rp %PASSWORD%
Splunk doesn't store any configuration information in the Windows registry. Therefore you can make multiple copies of any valid Splunk installation on the same machine, or copy the Splunk directory structure from one machine to another. You cannot, however, run the same Splunk install multiple times on the same machine, because they will have the same port configuration and collide with each other. You need to change two ports, the web UI port and the splunkd communication port.
- To change the Splunk web UI port go to http.conf and change
- To change the Splunk management port go to server.conf and change