Splunk® Enterprise

Admin Manual

Download manual as PDF

Download topic as PDF

Integrate a universal forwarder onto a system image

This topic discusses the procedure to integrate a Splunk universal forwarder into a Windows system image. For additional information about integrating Splunk Enterprise into images, see Integrate Splunk Enterprise into system images.

  1. On a reference computer, install and configure Windows the way that you want, including installing Windows features, service packs, and other components.
  2. Install and configure necessary applications, taking into account Splunk's system and hardware capacity requirements.
  3. Install and configure the universal forwarder from the command line. You must supply at least the LAUNCHSPLUNK=0 command line flag when you perform the installation.
  4. Proceed through the graphical portion of the install, selecting the inputs, deployment servers, and/or forwarder destinations you need.
  5. Once you have completed the install, open a command prompt or PowerShell window.
  6. From this prompt, edit any additional configuration files that are not configurable in the installer.
  7. After you edit configuration files, from the prompt, change to the universal forwarder bin directory.
  8. Run ./splunk clone-prep-clear-config.
  9. Close the command prompt or PowerShell window.
  10. In the Services Control Panel, configure the splunkd service to start automatically by setting its startup type to 'Automatic'.
  11. Prepare the system image for domain participation using a utility such as Windows System Image Manager (WSIM). Microsoft recommends using SYSPREP or WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)
  12. After you have configured the system for imaging, reboot the machine and clone it with your favorite imaging utility.

The image is now ready for deployment.

PREVIOUS
Put Splunk onto system images
  NEXT
Integrate full Splunk onto a system image

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters