Integrate a universal forwarder onto a system image
This topic discusses the procedure to integrate a Splunk universal forwarder into a Windows system image. For additional information about integrating Splunk into images, see "Integrate Splunk into system images."
To integrate a universal forwarder into a system image:
1. Using a reference computer, install and configure Windows to your liking, including installing any needed Windows features, patches and other components.
2. Install and configure any necessary applications, taking into account Splunk's system and hardware capacity requirements.
3. Install and configure the universal forwarder from the command line, supplying at least the
LAUNCHSPLUNK=0 command line flag.
Important: You must specify the
LAUNCHSPLUNK=0 command line flag to prevent Splunk from running after the installation is completed..
4. Proceed through the graphical portion of the install, selecting the inputs, deployment servers, and/or forwarder destinations you need.
5. Once you have completed the install, open a command prompt.
6. From this prompt, edit any additional configuration files that are not configurable in the installer.
7. Close the command prompt window.
8. Ensure that the
splunkd service is set to start automatically by setting its startup type to 'Automatic' in the Services Control Panel.
9. Prepare the system image for domain participation using a utility such as SYSPREP (for Windows XP and Windows Server 2003/2003 R2) and/or Windows System Image Manager (WSIM) (for Windows Vista, Windows 7, and Windows Server 2008/2008 R2).
Note: Microsoft recommends using SYSPREP and WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)
10. Once you have configured the system for imaging, reboot the machine and clone it with your favorite imaging utility.
The image is now ready for deployment.
Put Splunk onto system images
Integrate full Splunk onto a system image
This documentation applies to the following versions of Splunk® Enterprise: