"MLTK app version 4.4 and Python for Scientific Computing apps for Linux 64-bit and Windows 64-bit are now included in the ES installer. This increases the ES package to >500MB, which will run into upload limit issues when installing ES from the SplunkWeb UI. See Install Splunk Enterprise Security for installation instructions."
"The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.
Increase the Splunk Web upload limit by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
max_upload_size = 1000 // increases SplunkWeb upload limit to 1GB
To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
Click Choose File and select the Splunk Enterprise Security product file.
Click Upload to begin the installation.
Click Set up now to start setting up Splunk Enterprise Security"
thank for your fast replay.
I installed splunk in windows so I added this max_upload_size = 1000 in web.conf as you mention but i get same error. this is error log that I found in splunk system
-12-2019 09:14:32.393 +0400 WARN HttpListener - Read Timeout communicating with 127.0.0.1:51394, disconnecting
I've seen this, also. It caused by the ESS file being too large to upload to Splunk (I know, right?). The workaround is to use the CLI to install ESS. See https://docs.splunk.com/Documentation/ES/6.0.0/Install/InstallEnterpriseSecurity#Install_Splunk_Ente... for details.
Search heads are a very basic concept of Splunk that every Splunk admin must understand.
What specific part of my answer confuses you?