Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.

Install the Splunk App for Windows Infrastructure on a search head cluster

The Splunk App for Windows Infrastructure can be installed in a search head cluster. The procedure to install the app on a search head cluster is different than performing it on a stand-alone search head.

This topic contains basic instructions on how to install and configure the Splunk App for Windows Infrastructure on a search head cluster. To learn more about how to install and configure search head clusters, see "Deploy a search head cluster" in the Distributed Search manual.

The final tasks for setup of the Splunk App for Windows Infrastructure are:

  • Configure a search head cluster, including a separate instance for a search head cluster deployer.
  • Install the Splunk Add-on for Windows version 7.0.0, 8.0.0, or 8.1.2 on the search head cluster.
  • Install the Splunk Supporting Add-on for Active Directory version 3.0.2 or higher on the search head cluster.
  • Install the Splunk App for Windows Infrastructure on the search head cluster.
  • Run the first time setup on the search head cluster.
  • Build lookups on a search head cluster member.

Configure the search head cluster

To install the Splunk App for Windows Infrastructure on a search head cluster, you must have a cluster configured.

When you designate hosts for a search head cluster, always install new instances of Splunk Enterprise. If you attempt to add an existing instance to a search head cluster, the process overwrites any configurations or apps that reside on the instance.

Also, designate a separate host as a search head cluster deployer.

To configure a search head cluster, see Deploy a search head cluster" in the Distributed Search manual.

Install the Splunk Add-on for Windows on the deployer

Install the Splunk Add-on for Windows version 7.0.0, 8.0.0, or 8.1.2 on the search head cluster deployer instance

  1. In a web browser, navigate to the Splunk Add-on for Windows download page.
  2. Change the version to 7.0.0, 8.0.0, or 8.1.2, and click the download link to start the download.
    • Make sure you download the Splunk Add-on for Windows version 7.0.0, 8.0.0, or 8.1.2. The Splunk Add-on for Windows version 5.0.x is not compatible with the Splunk App for Windows Infrastructure.
    • You might need to sign in with your Splunk account before the download starts.
  3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.
  4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) on the deployer

Next, install the Splunk Supporting Add-on for Active Directory version 3.0.2 or higher on the deployer:

  1. In a web browser, proceed to the Splunk Supporting Add-on for Active Directory download page.
  2. Click the download link to start the download.
    • Make sure you download the Splunk Supporting Add-on for Active Directory version 3.0.2 or higher.
    • You might need to sign in with your Splunk account before the download starts.
  3. When prompted, choose an accessible location on your deployer to save the download. Do not attempt to run the download.
  4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%\etc\apps directory on the deployer.

Install the Splunk App for Windows Infrastructure on the deployer

Next, install is the Splunk App for Windows Infrastructure on the deployer.

  1. Download the Splunk App for Windows Infrastructure if you have not already.
  2. Use an archive utility such as WinZip or tar to unarchive the file to %SPLUNK_HOME%\etc\apps on the deployer.
  3. Restart Splunk Enterprise on the deployer.

Add search peers with Windows data to the deployer

Before the first time setup experience can complete, you must add at least one search peer (indexer) with Windows data.

If you followed the instructions in this manual, then you already have an indexer with Windows data. Configure this host as a search peer to the deployer.

If you have not collected Windows data yet, then follow the setup chapters in this manual to get this data before continuing:

  • Set up basic infrastructure
  • Get Windows data
  • (Optional) Get Active Directory data
  • (Optional) Get Domain Name Service (DNS) data

To configure a search peer:

  1. From the deployer, log into Splunk Enterprise.
  2. Click Settings > Distributed search.
  3. In the Actions column, next to Search peers, click Add new.
  4. In the Peer field, enter the host name or IP address and management port number of the search peer (indexer) that contains the Windows data. For example, if the host name is idx1.mycompany.com, enter idx1.mycompany.com:8089. If the management port is not the default, use the port number that you configured.
  5. In the Remote username field, enter the user that the deployer should use to authenticate into the search peer. This user must be an existing user on the search peer, and must have the 'admin' role.
  6. In the Remote password field, enter the password for the user that the deployer should supply to the search peer when it connects.
  7. In the Confirm password field, re-enter the password you used in the previous step.
  8. Click Save. The deployer saves the configuration and authenticates into the search peer.
  9. Restart Splunk Enterprise on the deployer.

Run the first-time setup experience on the deployer

Log into Splunk Enterprise and start the first-time setup experience.

  1. On the deployer, log into Splunk Enterprise.
  2. Open the Splunk App for Windows Infrastructure. From the system bar, click Apps > Splunk App for Windows Infrastructure.
  3. Follow the prompts and confirm that you have all the data that the app needs.
  4. (Optional) After the first-time setup completes, remove the search peers from the deployer.

Distribute the app, add-ons, and configurations to the other search head cluster members

Push the configuration bundle from the search head cluster deployer to one search head member.

  1. From a command or shell prompt on the deployer, copy the app, add-ons, and configurations to the search head cluster apps directory:
    Copy-Item -Path C:\Program Files\Splunk\etc\apps\Splunk_TA_windows -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
    Copy-Item -Path C:\Program Files\Splunk\etc\apps\SA_LDAPsearch -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
    Copy-Item -Path C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure -Destination C:\Program Files\Splunk\etc\shcluster\apps -Recurse -Force
    
  2. From a command or shell prompt on the deployer, push the app, add-ons, and configurations to one search head cluster member:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    In this command:

    • -target specifies the URI and management port of one of the search head cluster members. For example, if one of the members is splunk2.mycompany.com, you would specify https://splunk2.mycompany.com:8089.
  3. The deployer displays the following message:
    Warning: Depending on the configuration changes being pushed, this command
    might initiate a rolling-restart of the cluster members. Please refer to the
    documentation for the details.  Do you wish to continue? [y/n]:
    
    Proceed by responding to the message with y.
  4. Wait for the deployer to send the configuration bundle to the search head cluster members.

Build lookups on one search head cluster member

To complete setup of the app, build lookups for the app on one search head cluster member.

  1. Log into Splunk Enterprise on a search head cluster member.
  2. Open the Splunk App for Windows Infrastructure. In the system bar, select Apps > Splunk App for Windows Infrastructure.
  3. In the menu bar, select Tools and Settings > Build lookups.
  4. Wait for the lookup build process to complete.
  5. Once the build completes, click Finish and go back.

You can now use the Splunk App for Windows Infrastructure. Visit the Reference manual for information on how to use the app dashboards.

Last modified on 27 August, 2021
Install the Splunk App for Windows Infrastructure on the Search Head   Install the Splunk App for Windows Infrastructure using self service installation on Splunk Cloud

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 2.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters