Install the Splunk App for Windows Infrastructure on a search head cluster
The Splunk App for Windows Infrastructure can be installed in a search head cluster. The procedure to install the app on a search head cluster is different than performing it on a stand-alone search head.
This topic contains basic instructions on how to install and configure the Splunk App for Windows Infrastructure on a search head cluster. To learn more about how to install and configure search head clusters, see "Deploy a search head cluster" in the Distributed Search manual.
The final tasks for setup of the Splunk App for Windows Infrastructure are:
- Configure a search head cluster, including a separate instance for a search head cluster deployer.
- Install the Splunk Add-on for Windows version 5.0.1 or 6.0.0 on the search head cluster.
- Install the Splunk Supporting Add-on for Active Directory on the search head cluster.
- Install the Splunk App for Windows Infrastructure on the search head cluster.
- Check authorize.conf and macros.conf
/splunk_app_microsoft_exchange/default/
on deployer and make sure all changes are done as per Download and configure the Splunk Add-on for Windows.
- Check authorize.conf and macros.conf
- Run the first time setup on the search head cluster.
- Add the
winfra-admin
role to the search head cluster members. - Build lookups on a search head cluster member.
Configure the search head cluster
To install the Splunk App for Windows Infrastructure on a search head cluster, you must have a cluster configured.
When you designate hosts for a search head cluster, always install new instances of Splunk Enterprise. If you attempt to add an existing instance to a search head cluster, the process overwrites any configurations or apps that reside on the instance.
Also, designate a separate host as a search head cluster deployer.
To configure a search head cluster, see Deploy a search head cluster" in the Distributed Search manual.
Install the Splunk Add-on for Windows on the deployer
Install the Splunk Add-on for Windows version 5.0.1 or 6.0.0 onto the search head cluster deployer instance.
- In a web browser, navigate to the Splunk Add-on for Windows download page.
- Change the version to 5.0.1 or 6.0.0, and click the download link to start the download.
- Make sure you download the Splunk Add-on for Windows version 5.0.1 or 6.0.0. The Splunk Add-on for Windows version 5.0.0 is not compatible with the Splunk App for Windows Infrastructure.
- You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip or tar to unarchive the file to the
%SPLUNK_HOME%\etc\apps
directory on the deployer.
Install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on the deployer
Next, install the Splunk Supporting Add-on for Active Directory on the deployer:
- In a web browser, proceed to the Splunk Supporting Add-on for Active Directory download page.
- Click the download link to start the download.
- Make sure you download the latest version of the add-on.
- You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip or tar to unarchive the file to the
%SPLUNK_HOME%\etc\apps
directory on the deployer.
Install the Splunk App for Windows Infrastructure on the deployer
Next, install is the Splunk App for Windows Infrastructure on the deployer.
- Download the Splunk App for Windows Infrastructure if you have not already.
- Use an archive utility such as WinZip or tar to unarchive the file to
%SPLUNK_HOME%\etc\apps
on the deployer. - Restart Splunk Enterprise on the deployer.
Add the "winfra-admin" role to the user that will run the app on the deployer
To run the first-time setup on the search head cluster deployer instance, the winfra-admin
role must be present. The Splunk App for Windows Infrastructure provides this role, but you must assign it to the user that will run the app so that the first-time run experience works.
- Log into Splunk Enterprise on the deployer.
- In the system bar, click Settings > Access controls.
- Click Users.
- Click the user that will run the application. Splunk Enterprise displays the information page for the user.
- In the Assign to roles section, in the Available roles column, click winfra-admin role. The role moves from the "Available roles" to the Selected roles column.
Note: If you do not see the
winfra-admin
role in the list, make sure that you have installed the application, as described in "Install the Splunk App for Windows Infrastructure on the deployer". - Click Save. Splunk Enterprise assigns the role to the user you selected.
Add search peers with Windows data to the deployer
Before the first time setup experience can complete, you must add at least one search peer (indexer) with Windows data.
If you followed the instructions in this manual, then you already have an indexer with Windows data. Configure this host as a search peer to the deployer.
If you have not collected Windows data yet, then follow the setup chapters in this manual to get this data before continuing:
- Set up basic infrastructure
- Get Windows data
- (Optional) Get Active Directory data
- (Optional) Get Domain Name Service (DNS) data
To configure a search peer:
- From the deployer, log into Splunk Enterprise.
- Click Settings > Distributed search.
- In the Actions column, next to Search peers, click Add new.
- In the Peer field, enter the host name or IP address and management port number of the search peer (indexer) that contains the Windows data. For example, if the host name is
idx1.mycompany.com
, enteridx1.mycompany.com:8089
. If the management port is not the default, use the port number that you configured. - In the Remote username field, enter the user that the deployer should use to authenticate into the search peer. This user must be an existing user on the search peer, and must have the 'admin' role.
- In the Remote password field, enter the password for the user that the deployer should supply to the search peer when it connects.
- In the Confirm password field, re-enter the password you used in the previous step.
- Click Save. The deployer saves the configuration and authenticates into the search peer.
- Restart Splunk Enterprise on the deployer.
Run the first-time setup experience on the deployer
Log into Splunk Enterprise and start the first-time setup experience.
- On the deployer, log into Splunk Enterprise.
- Open the Splunk App for Windows Infrastructure. From the system bar, click Apps > Splunk App for Windows Infrastructure.
- Follow the prompts and confirm that you have all the data that the app needs.
- (Optional) After the first-time setup completes, remove the search peers from the deployer.
Distribute the app, add-ons, and configurations to the other search head cluster members
Push the configuration bundle from the search head cluster deployer to one search head member.
- From a command or shell prompt on the deployer, copy the app, add-ons, and configurations to the search head cluster apps directory:
Copy-Item -Path C:\Program Files\Splunk\etc\apps\Splunk_TA_windows -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force Copy-Item -Path C:\Program Files\Splunk\etc\apps\SA_LDAPsearch -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force Copy-Item -Path C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
- From a command or shell prompt on the deployer, push the app, add-ons, and configurations to one search head cluster member:
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
In this command:
-target
specifies the URI and management port of one of the search head cluster members. For example, if one of the members issplunk2.mycompany.com
, you would specifyhttps://splunk2.mycompany.com:8089
.
- The deployer displays the following message:
Warning: Depending on the configuration changes being pushed, this command might initiate a rolling-restart of the cluster members. Please refer to the documentation for the details. Do you wish to continue? [y/n]:
Proceed by responding to the message with
y
. - Wait for the deployer to send the configuration bundle to the search head cluster members.
On Splunk Enterprise 6.3 and earlier only, add roles to all search head cluster members
If you run an on-premises version of Splunk Enterprise of 6.3 or earlier, you must manually add the winfra-admin
role to the user that runs the app on the other search head cluster members. This is because those versions do not handle replication of user roles across search head cluster members automatically.
You do not need to perform this procedure if you run Splunk Cloud.
- Log into Splunk Enterprise on a search head cluster member.
- In the system bar, click Settings > Access controls.
- Click Users.
- Click the user that will run the application. Splunk Enterprise displays the information page for the user.
- In the Assign to roles section, in the Available roles column, click
winfra-admin
role. The role moves from the "Available roles" to the Selected roles column. Note: If you do not see thewinfra-admin
role in the list, make sure that you have distributed the apps and configurations as described in "Distribute the app, add-ons, and configurations to the other search head cluster members". - Click Save. Splunk Enterprise assigns the role to the user you selected.
- Repeat this process on all the other search head cluster members.
Build lookups on one search head cluster member
To complete setup of the app, build lookups for the app on one search head cluster member.
- Log into Splunk Enterprise on a search head cluster member.
- Open the Splunk App for Windows Infrastructure. In the system bar, select Apps > Splunk App for Windows Infrastructure.
- In the menu bar, select Tools and Settings > Build lookups.
- Wait for the lookup build process to complete.
- Once the build completes, click Finish and go back.
You can now use the Splunk App for Windows Infrastructure. Visit the Reference manual for information on how to use the app dashboards.
Install the Splunk App for Windows Infrastructure on the Search Head | Install the Splunk App for Windows Infrastructure using self service installation on Splunk Cloud |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.5.2, 2.0.0, 2.0.1
Feedback submitted, thanks!