Install a forward-only Splunk instance on Windows
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Install a forward-only Splunk instance on Windows
This procedure explains how to install a Splunk forwarder on Windows.
What you need:
- Forwarder license
- Admin Level access to Server being configured
- Network share to house install files
Before you start:
- Create a network share (\\sharingserver\splunk).
- Place the Splunk MSI file into that share.
- Place a copy of your forwarder license file there as well (name it splunk.license).
Overview:
Rather than having to manually configure this all via the GUI, this process limits the GUI interaction to only the installation of the Splunk MSI file. The following commands can be executed via the CMD shell.
Note: Substitute the exact filename of the Splunk MSI file that you are using for <splunk version>.
"\\sharingserver\splunk\<splunk version>.msi"
This starts the installation of the server.
Click through the screens as described in the installation documentation and choose the appropriate options for your installation. At the end of the install, allow splunkd to start but don't start Splunk Web.
Next, copy the license file and restart splunkd:
copy "\\sharingserver\splunk\splunk.license" "c:\program files\splunk\etc\splunk.license" "c:\program files\splunk\bin\splunk.exe" restart splunkd
At this point, Splunk will behave like a licensed version and that means that the admin password will have changed.
Change the password to something else. This procedure uses "somethingsensible" throughout the rest of the commands.
This resets the password to 'somethingsensible':
"c:\program files\splunk\bin\splunk.exe" edit user admin -password somethingsensible -auth admin:changeme
This adds a forward-server called 'splunk.yourcompany.com' that listens on port 9997:
"c:\program files\splunk\bin\splunk.exe" add forward-server splunk.yourcompany.com:9997 -auth admin:somethingsensible
This sets the server you're configuring to be a forward only server:
"c:\program files\splunk\bin\splunk.exe" set server-type forwarder -auth admin:somethingsensible
This disables the Splunk Web server:
"c:\program files\splunk\bin\splunk.exe" disable webserver -auth admin:somethingsensible
This restarts splunkd:
"c:\program files\splunk\bin\splunk.exe" restart splunkd -auth admin:somethingsensible
After this, you can visit the Windows Services control panel applet and set splunkd to start automatically, as well as define some recovery parameters.
This documentation applies to the following versions of Splunk: 3.3.2 , 3.3.3 , 3.3.4 View the Article History for its revisions.