Integrate a universal forwarder onto a system image
This topic discusses the procedure to integrate a Splunk universal forwarder into a Windows system image. For additional information about integrating Splunk Enterprise into images, see Integrate Splunk Enterprise into system images.
Install and configure Windows and applications
- On a reference computer, install and configure Windows the way that you want, including installing Windows features, service packs, and other components.
- Install and configure necessary applications, taking into account Splunk's system and hardware capacity requirements.
- Install and configure the universal forwarder from the command line. You must supply at least the
LAUNCHSPLUNK=0command line flag when you perform the installation.
- Proceed through the graphical portion of the install, selecting the inputs, deployment servers, and/or forwarder destinations you want.
- After the installation has completed, open a command prompt or PowerShell window.
Edit configurations and run clone-prep-clear-config
- (Optional) Edit configuration files that were not configurable in the installer.
- Change to the universal forwarder
- Exit the command prompt or PowerShell window.
- In the Services Control Panel, configure the
splunkdservice to start automatically by setting its startup type to 'Automatic'.
- Prepare the system image for domain participation using a utility such as Windows System Image Manager (WSIM). Microsoft recommends using
SYSPREPor WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)
Clone and restore the image
- Restart the machine and clone it with your favorite imaging utility.
- After cloning the image, use the imaging utility to restore it into another physical or virtual machine.
- Run the cloned image. Splunk services start automatically.
- Restart Splunk software to remove the
- Confirm that the
$SPLUNK_HOME\clone-prepfile has been deleted.
The image is now ready for deployment.
Put Splunk onto system images
Integrate full Splunk onto a system image
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0