Put Splunk onto system images
This topic explains the concepts of making Splunk a part of every Windows system image or installation process. It also guides you through the general process of integration, regardless of the imaging utilities that you use.
- For more specific information about getting Windows data into Splunk, review "About Windows data and Splunk" in the Getting Data In Manual.
- For information on distributed Splunk deployments, read "Distributed overview" in the Distributed Deployment Manual. This overview is essential reading for understanding how to set up Splunk deployments, irrespective of the operating system that you use. You can also read about Splunk's distributed deployment capabilities there.
- For information about planning larger Splunk deployments, read "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual and "Deploying Splunk on Windows" in this manual.
Concepts for system integration on Windows
The main reason to integrate Splunk into Windows system images is to ensure that Splunk is available immediately when the machine is activated for use in the enterprise. This frees you from having to install and configure Splunk after activation.
In this scenario, when a Windows system is activated, it immediately launches Splunk after booting. Then, depending on the type of Splunk instance installed and the configuration given, Splunk either collects data from the machine and forwards it to an indexer (in many cases), or begins indexing data that is forwarded from other Windows machines.
System administrators can also configure Splunk instances to contact a deployment server, which allows for further configuration and update management.
In many typical environments, universal forwarders on Windows machines send data to a central indexer or group of indexers, which then allow that data to be searched, reported and alerted on, depending on your specific needs.
Considerations for system integration
Integrating Splunk into your Windows system images requires planning.
In most cases, the preferred Splunk component to integrate into a Windows system image is a universal forwarder. The universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost. You can also modify the forwarder's configuration using Splunk's deployment server or an enterprise-wide configuration manager with no need to use Splunk Web to make changes.
In some situations, you may want to integrate a full instance of Splunk into a system image. Where and when this is more appropriate depends on your specific needs and resource availability.
Splunk doesn't recommend that you include a full version of Splunk in an image for a server that performs any other type of role, unless you have specific need for the capability that an indexer has over a forwarder. Installing multiple indexers in an enterprise does not give you additional indexing power or speed, and can lead to undesirable results.
Before integrating Splunk into a system image, consider:
- the amount of data you want Splunk to index, and where you want Splunk to send that data, if applicable. This feeds directly into disk space calculations, and should be a top consideration.
- the type of Splunk instance to install on the image or machine. Universal forwarders have a significant advantage when installing on workstations or servers that perform other duties, but might not be appropriate in some cases.
- the available system resources on the imaged machine. How much disk space, RAM and CPU resources are available on each imaged system? Will it support a Splunk install?
- the resource requirements of your network. Splunk needs network resources, whether you're using it to connect to remote machines using WMI to collect data, or you're installing forwarders on each machine and sending that data to an indexer.
- the system requirements of other programs installed on the image. If Splunk is sharing resources with another server, it can take available resources from those other programs. Consider whether or not you should install other programs on a workstation or server that is running a full instance of Splunk. A universal forwarder will work better in cases like this, as it is designed to be lightweight.
- the role that the imaged machine plays in your environment. Will it be a workstation only running productivity applications like Office? Or will it be an operations master domain controller for your Active Directory forest?
Integrate Splunk into a System Image
Once you have determined the answers to the questions in the checklist above, the next step is to integrate Splunk into your system images. The steps listed are generic, allowing you to use your favorite system imaging or configuration tool to complete the task.
Choose one of the following options for system integration:
Optimize Splunk for peak performance
Integrate a universal forwarder onto a system image
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3