Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.

Install a universal forwarder on each Windows host

This topic details installing and configuring a universal forwarder on the Windows host in your environment. This is the first step toward getting data into the indexer that you set up earlier.

What is a universal forwarder?

The universal forwarder is a version of Splunk Enterprise whose only purpose is to collect data from a host and send it somewhere. Unlike full Splunk Enterprise, the universal forwarder has extremely limited capability to transform or change the data it collects in any way. This allows for fast collection and dispatching of data with little impact on system and network resources.

In this application, you install universal forwarder on a Windows host to collect the data it contains. You then forward this data to the Splunk indexer, which indexes and stores the data and makes it available for the Splunk App for Windows Infrastructure.

Install universal forwarder

In order to begin the data collection and forwarding process, you must install a universal forwarder on every Windows host that you want data from.

  1. Confirm that your Windows host meets the minimum system requirements for a Splunk universal forwarder installation.
  2. Download the appropriate universal forwarder for your version of Windows.
  3. Install the universal forwarder onto the Windows host. During the installation process, follow these prompts:
    • In the first dialog, check the box to accept the license agreement.
    • Click Customize Options to customize the installation options.
    • Click Next to advance through the "Destination Folder" dialog.
    • Click Next to advance through the "Certificate Information" dialog.
    • In the "User selection" dialog, make sure "Local System" is selected and click Next
    • In the "Enable Windows inputs" dialog, make sure no inputs have been enabled and click Next.
    • In the "Specify a Deployment Server" dialog, enter the host name or IP address of the deployment server you just set up in the "Hostname or IP" field and enter "8089" in the second field. Then click Next.
    • Click Next to advance through the "Receiving Indexer" dialog.
    • Click Install to accept these configurations and install the universal forwarder.
  4. After installation completes, confirm that the universal forwarder service runs.
    • You can check the splunkforwarder service in the Services control panel, or
    • You can check if the service runs from a PowerShell window (by going to the %SPLUNK_HOME%\bin directory and typing in .\splunk status.

What's next?

You have installed and configured a universal forwarder on at least one Windows machine. Next, you will confirm that deployment server sees the forwarder and add the forwarder to the server class you defined earlier.

Last modified on 16 August, 2017
Set up a deployment server and create a server class   Add the universal forwarder to the server class

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters