https://docs.splunk.com/Documentation/ES/6.0.0/RN/Enhancements

"MLTK app version 4.4 and Python for Scientific Computing apps for Linux 64-bit and Windows 64-bit are now included in the ES installer. This increases the ES package to >500MB, which will run into upload limit issues when installing ES from the SplunkWeb UI. See Install Splunk Enterprise Security for installation instructions."

https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Step_2._Install_Spl...
"The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.
Increase the Splunk Web upload limit by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
[settings]
max_upload_size = 1000 // increases SplunkWeb upload limit to 1GB
To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
Click Choose File and select the Splunk Enterprise Security product file.
Click Upload to begin the installation.
Click Set up now to start setting up Splunk Enterprise Security"

I've seen this, also. It caused by the ESS file being too large to upload to Splunk (I know, right?). The workaround is to use the CLI to install ESS. See https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente... for details.