Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF


On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for Windows Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install the central Splunk App for Windows Infrastructure instance

The central components of a Splunk App for Windows Infrastructure deployment are the Splunk indexer that stores Windows and Active Directory data and the search head that searches the stored data. (Optionally, additional indexers and/or search heads can be added to the instance to increase indexing and searching bandwidth).

You install the following components on the central instance:

  • The Splunk App for Windows Infrastructure add-ons must be installed onto every server in the central Splunk App for Windows Infrastructure instance.
  • The Splunk App for Windows Infrastructure and its associated add-ons must be installed onto every search head in the central instance.

Before installing the Splunk App for Windows Infrastructure onto your central Splunk instance, make sure that you have provisioned the instance to support the level of indexing and interaction that you anticipate for your deployment. For more information on this, review "Platform and hardware requirements".

Install Splunk

If you are not using an existing Splunk installation for the central Splunk instance, download the full Splunk package for your platform and follow the installation instructions in the core Splunk Enterprise documentation.

Install the Splunk Support for Active Directory Add-on (SA-ldapsearch)

1. Download the Supporting Add-on for Active Directory.

2. Configure the Splunk Support for Active Directory Add-on by editing %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local\ldap.conf. An example follows:

[mydomain.com]
server = 192.168.50.1;192.168.50.2
port = 636
ssl = true
basedn = dc=spl,dc=com
binddn = cn=Splunk Searcher,cn=Users,dc=spl,dc=com
password = {64}u9435tr8ujtgfnkjscc
alternatedomain = MYDOMAIN

Note: For more information on editing ldap.conf, see "Configure the Splunk Support for Active Directory Add-on" in the Splunk Support for Active Directory Add-on documentation.

Install the central instance of Splunk App for Windows Infrastructure

This procedure assumes you have already installed Splunk on the host you intend to use as the indexer for your Windows and Active Directory data.

1. Download the Splunk App for Windows Infrastructure from Splunk Apps.

2. Install the splunk-app-for-windows-infrastructure_xxx.tar.gz file into your Splunk instance.

Note: You can install the app by going into the Apps screen in Manager (Splunk 5.0) or Settings (Splunk 6.x) and clicking the Install app from file button. You can also unpack the installation package directly into %SPLUNK_HOME%\etc\apps on the server.

3. Restart Splunk.

4. Log back in to Splunk.

Configure Splunk to receive the data from the forwarders on your Windows servers

You can enable receiving on a Splunk instance through Splunk Web or the CLI.

Important: By default, the Splunk App for Windows Infrastructure configures your instance of Splunk to receive data over TCP port 9997. If you need this to be a different port, you can change this value. You will also need to change it in a copy of the outputs.conf files on the universal forwarders installed on your Windows servers.

Set up receiving with Splunk Web

Use Splunk Manager or Settings to set up a receiver:

1. Log into Splunk Web as admin on the server that will be receiving data from a forwarder.

2. Click Manager (or Settings on Splunk 6.x) in the upper right corner.

3. Select Forwarding and receiving in the Data area.

4. Click Add new in the Receive data section.

5. Specify which TCP port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

6. Click Save.

Note: You must restart Splunk to complete the process.

Set up receiving with the Splunk CLI

To access the CLI, first navigate to $SPLUNK_HOME\bin\. This is unnecessary if you have added Splunk to your path.

To enable receiving, enter:

./splunk enable listen <port> -auth <username>:<password>

Splunk prompts you for your Splunk username (by default, admin) and password.

For <port>, substitute the port you want the receiver to listen on (the listening port). For example, if you enter "9997," the receiver will receive data on port 9997. By default, receivers listen on port 9997, but you can specify any unused TCP port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

To disable receiving, enter:

./splunk disable listen -port <port> -auth <username>:<password>

Splunk prompts you for your Splunk username (by default, admin) and password.

Last modified on 15 October, 2014
PREVIOUS
Deploy configurations for all server roles
  NEXT
How to upgrade the Splunk App for Windows Infrastructure

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters