Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

Install the Splunk App for Windows Infrastructure on a search head cluster

The Splunk App for Windows Infrastructure can be installed in a search head cluster. The procedure to install the app on a search head cluster is different than performing it on a stand-alone search head.

This topic contains basic instructions on how to install and configure the Splunk App for Windows Infrastructure on a search head cluster. To learn more about how to install and configure search head clusters, see "Deploy a search head cluster" in the Distributed Search manual.

The final tasks for setup of the Splunk App for Windows Infrastructure are:

  • Configure a search head cluster, including a separate instance for a search head cluster deployer.
  • Install the Splunk Add-on for Windows on the search head cluster.
  • Install the Splunk Supporting Add-on for Active Directory on the search head cluster.
  • Install the Splunk App for Windows Infrastructure on the search head cluster.
  • Run the first time setup on the search head cluster.
  • (Optional) If you run Splunk Enterprise version 6.3 and earlier, add the "winfra_admin" role to the search head cluster members.
  • Build lookups on a search head cluster member.

Configure the search head cluster

To install the Splunk App for Windows Infrastructure on a search head cluster, you must have a cluster configured.

When you designate hosts for a search head cluster, always install new instances of Splunk Enterprise. If you attempt to add an existing instance to a search head cluster, the process overwrites any configurations or apps that reside on the instance.

Also, designate a separate host as a search head cluster deployer.

To configure a search head cluster, see Deploy a search head cluster" in the Distributed Search manual.

Install the Splunk Add-on for Windows on the deployer

Install the Splunk Add-on for Windows onto the search head cluster deployer instance.

1. In a web browser, proceed to the Splunk Add-on for Windows download page.

2. Click the download link to start the download.

  • Make sure you download the latest version of the add-on.
  • You might need to sign in with your Splunk account before the download starts.

3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on the deployer

Next, install the Splunk Supporting Add-on for Active Directory on the deployer:

1. In a web browser, proceed to the Splunk Supporting Add-on for Active Directory download page.

2. Click the download link to start the download.

  • Make sure you download the latest version of the add-on.
  • You might need to sign in with your Splunk account before the download starts.

3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk App for Windows Infrastructure on the deployer

Next, install is the Splunk App for Windows Infrastructure on the deployer.

1. Download the Splunk App for Windows Infrastructure if you have not already.

2. Use an archive utility such as WinZip or tar to unarchive the file to %SPLUNK_HOME%\etc\apps on the deployer.

3. Restart Splunk Enterprise on the deployer.

Add the "winfra_admin" role to the user that will run the app on the deployer

To run the first-time setup on the search head cluster deployer instance, the winfra_admin role must be present. The Splunk App for Windows Infrastructure provides this role, but you must assign it to the user that will run the app so that the first-time run experience works.

1. Log into Splunk Enterprise on the deployer.

2. In the system bar, click Settings > Access controls.

3. Click Users.

4. Click the user that will run the application. Splunk Enterprise displays the information page for the user.

5. In the Assign to roles section, in the Available roles column, click winfra_admin role. The role moves from the "Available roles" to the Selected roles column.

Note: If you do not see the winfra_admin role in the list, make sure that you have installed the application, as described in "Install the Splunk App for Windows Infrastructure on the deployer".

6. Click Save. Splunk Enterprise assigns the role to the user you selected.

Add search peers with Windows data to the deployer

Before the first time setup experience can complete, you must add at least one search peer (indexer) with Windows data.

If you followed the instructions in this manual, then you already have an indexer with Windows data. Configure this host as a search peer to the deployer.

If you have not collected Windows data yet, then follow the setup chapters in this manual to get this data before continuing:

  • Set up basic infrastructure
  • Get Windows data
  • (Optional) Get Active Directory data
  • (Optional) Get Domain Name Service (DNS) data

To configure a search peer:

1. From the deployer, log into Splunk Enterprise.

2. Click Settings > Distributed search.

3. In the Actions column, next to Search peers, click Add new.

4. In the Peer field, enter the host name or IP address and management port number of the search peer (indexer) that contains the Windows data. For example, if the host name is idx1.mycompany.com, enter idx1.mycompany.com:8089. If the management port is not the default, use the port number that you configured.

5. In the Remote username field, enter the user that the deployer should use to authenticate into the search peer. This user must be an existing user on the search peer, and must have the 'admin' role.

6. In the Remote password field, enter the password for the user that the deployer should supply to the search peer when it connects.

7. In the Confirm password field, re-enter the password you used in the previous step.

8. Click Save. The deployer saves the configuration and authenticates into the search peer.

9. Restart Splunk Enterprise on the deployer.

Run the first-time setup experience on the deployer

Log into Splunk Enterprise and start the first-time setup experience.

1. On the deployer, log into Splunk Enterprise.

2. Open the Splunk App for Windows Infrastructure. From the system bar, click Apps > Splunk App for Windows Infrastructure.

3. Follow the prompts and confirm that you have all the data that the app needs.

4. (Optional) After the first-time setup completes, remove the search peers from the deployer.

Distribute the app, add-ons, and configurations to the other search head cluster members

Push the configuration bundle from the search head cluster deployer to one search head member.

1. From a command or shell prompt on the deployer, copy the app, add-ons, and configurations to the search head cluster apps directory:

Copy-Item -Path C:\Program Files\Splunk\etc\apps\Splunk_TA_windows -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
Copy-Item -Path C:\Program Files\Splunk\etc\apps\SA_LDAPsearch -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
Copy-Item -Path C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force

2. From a command or shell prompt on the deployer, push the app, add-ons, and configurations to one search head cluster member:

splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

In this command:

  • -target specifies the URI and management port of one of the search head cluster members. For example, if one of the members is splunk2.mycompany.com, you would specify https://splunk2.mycompany.com:8089.

3. The deployer displays the following message:

Warning: Depending on the configuration changes being pushed, this command
might initiate a rolling-restart of the cluster members. Please refer to the
documentation for the details.  Do you wish to continue? [y/n]:

Proceed by responding to the message with y.

4. Wait for the deployer to send the configuration bundle to the search head cluster members.

On Splunk Enterprise 6.3 and earlier only, add roles to all search head cluster members

If you run an on-premises version of Splunk Enterprise of 6.3 or earlier, you must manually add the winfra_admin role to the user that runs the app on the other search head cluster members. This is because those versions do not handle replication of user roles across search head cluster members automatically.

You do not need to perform this procedure if you run Splunk Cloud.

1. Log into Splunk Enterprise on a search head cluster member.

2. In the system bar, click Settings > Access controls.

3. Click Users.

4. Click the user that will run the application. Splunk Enterprise displays the information page for the user.

5. In the Assign to roles section, in the Available roles column, click winfra_admin role. The role moves from the "Available roles" to the Selected roles column.

Note: If you do not see the winfra_admin role in the list, make sure that you have distributed the apps and configurations as described in "Distribute the app, add-ons, and configurations to the other search head cluster members".

6. Click Save. Splunk Enterprise assigns the role to the user you selected.

7. Repeat this process on all the other search head cluster members.

Build lookups on one search head cluster member

To complete setup of the app, build lookups for the app on one search head cluster member.

1. Log into Splunk Enterprise on a search head cluster member.

2. Open the Splunk App for Windows Infrastructure. In the system bar, select Apps > Splunk App for Windows Infrastructure.

3. In the menu bar, select Tools and Settings > Build lookups.

4. Wait for the lookup build process to complete.

5. Once the build completes, click Finish and go back.

You can now use the Splunk App for Windows Infrastructure. Visit the Reference manual for information on how to use the app dashboards.

PREVIOUS
Install the Splunk App for Windows Infrastructure on the search head
  NEXT
How to upgrade the Splunk App for Windows Infrastructure

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.2.0, 1.2.1, 1.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters