Admin Manual

 


Integrate a universal forwarder onto a system image

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Integrate a universal forwarder onto a system image

This topic discusses the procedure to integrate a Splunk universal forwarder into a Windows system image. For additional information about integrating Splunk into images, see "Integrate Splunk into system images."

To integrate a universal forwarder into a system image:

1. Using a reference computer, install and configure Windows to your liking, including installing any needed Windows features, patches and other components.

2. Install and configure any necessary applications, taking into account Splunk's system and hardware capacity requirements.

3. Install and configure the universal forwarder from the command line, supplying at least the LAUNCHSPLUNK=0 command line flag.

Important: You must specify the LAUNCHSPLUNK=0 command line flag to prevent Splunk from running after the installation is completed..

4. Proceed through the graphical portion of the install, selecting the inputs, deployment servers, and/or forwarder destinations you need.

5. Once you have completed the install, open a command prompt.

6. From this prompt, edit any additional configuration files that are not configurable in the installer.

7. Close the command prompt window.

8. Ensure that the splunkd service is set to start automatically by setting its startup type to 'Automatic' in the Services Control Panel.

9. Prepare the system image for domain participation using a utility such as SYSPREP (for Windows XP and Windows Server 2003/2003 R2) and/or Windows System Image Manager (WSIM) (for Windows Vista, Windows 7, and Windows Server 2008/2008 R2).

Note: Microsoft recommends using SYSPREP and WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)

10. Once you have configured the system for imaging, reboot the machine and clone it with your favorite imaging utility.

The image is now ready for deployment.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 View the Article History for its revisions.


Comments

Hi Cramasta,

Correct; I've fixed that as well as a reference to splunkweb.

Malmoore, Splunker
November 19, 2012

splunk clean eventdata is no longer a valid command on the windows UF

Cramasta
November 19, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!