Install and configure a Splunk platform indexer
This topic discusses installing the basic building block of a Splunk App for Windows Infrastructure deployment: a Splunk platform indexer.
In this procedure, you will install the indexer and then configure it to receive data from other Splunk platform instances.
If you're using TA-Windows v6.0.0, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows v6.0.0.
Install the indexer
To install an indexer:
- Prepare a host that meets or exceeds the Splunk platform system requirements. During preparations:
- Write down the host name and IP address for the host.
- Ensure that no firewall blocks any network traffic into the host.
- Download the Splunk platform software onto the machine.
- Install the correct version of the software for the operating system that the host runs.
- After installation, confirm that the Splunk platform software functions. At a minimum:
- The software should start without error. If it doesn't, try troubleshooting it.
- You should be able to perform a basic search using the Search app. Learn how. If that doesn't work, figure out why.
If everything checks out, configure the indexer to have the correct indexes for the Splunk App for Windows Infrastructure.
Configure indexes
The indexer must have the indexes for the Splunk App for Windows Infrastructure defined before you can begin indexing the data. The Splunk App for Windows Infrastructure installation package comes with a file that defines those indexes. Every indexer in a Splunk App for Windows Infrastructure environment needs this configuration file.
To get this file:
- In a web browser, proceed to the Splunk App for Windows Infrastructure download page.
- Click the download link to begin the download process.
- Make sure you download the latest version of the app.
- You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip to unarchive the file to the
etc/apps/
directory in your Splunk platform deployment. - In the unarchived
etc/apps/splunk_app_windows_infrastructure
directory in your Splunk platform deployment, create a/local/
directory. - Define your indexes.
- Create a
indexes.conf
file inetc/apps/splunk_app_windows_infrastructure/local/
. - In
indexes.conf
, define the msad, perfmon, wineventlog, and windows indexes.
[msad] homePath = $SPLUNK_DB/msad/db coldPath = $SPLUNK_DB/msad/colddb thawedPath = $SPLUNK_DB/msad/thaweddb maxDataSize = 10000 maxHotBuckets = 10 [perfmon] homePath = $SPLUNK_DB/perfmon/db coldPath = $SPLUNK_DB/perfmon/colddb thawedPath = $SPLUNK_DB/perfmon/thaweddb maxDataSize = 10000 maxHotBuckets = 10 [wineventlog] homePath = $SPLUNK_DB/wineventlog/db coldPath = $SPLUNK_DB/wineventlog/colddb thawedPath = $SPLUNK_DB/wineventlog/thaweddb maxDataSize = 10000 maxHotBuckets = 10 [windows] homePath = $SPLUNK_DB/windows/db coldPath = $SPLUNK_DB/windows/colddb thawedPath = $SPLUNK_DB/windows/thaweddb maxDataSize = 10000 maxHotBuckets = 10
- Create a
- If
Splunk_TA_windows
is sending data to other then the above default indexes then a user must have defined those custom indexes on all indexers. - Restart your Splunk platform instance. From the same PowerShell window:
> cd \Program Files\Splunk\bin > .\splunk restart
You can now configure the indexer to receive data from other Splunk instances.
Configure receiving
The Splunk App for Windows Infrastructure depends on an indexer that can receive data from other hosts. Without this capability, the app cannot function. You will now enable receiving on this indexer.
To configure the indexer to receive data from other Splunk platform instances:
- Log into Splunk Enterprise on the indexer.
- In the system bar, click Settings > Forwarding and Receiving. Your Splunk platform loads the "Forwarding and Receiving" page.
- Under "Receive Data" click Configure Receiving.
- Click New.
- In the Listen on this port field, enter the port number that you want your Splunk platform to listen on for incoming data from other Splunk instances. The conventional port number is 9997.
- Click Save. Splunk Enterprise saves the port number and enables receiving on the indexer.
Your indexer is now configured to receive data. Confirm the host name or IP address and port number of the indexer. You will need it for the next step of the setup process.
Before you proceed, read our documentation on apps. You will create a simple app in the next step.
How to deploy the Splunk App for Windows Infrastructure | Create the "send to indexer" app |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.5.2
Feedback submitted, thanks!