Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Make a universal forwarder part of a system image

This topic describes how to deploy a universal forwarder as part of a system image or virtual machine. This is particularly useful if you have a large number of universal forwarders to deploy. If you have just a few, you might find it simpler to install them manually, as described for Windows and nix machines.

Before following the procedures in this topic, read "Deployment overview".

Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps:

1. Install the universal forwarder on a test machine. See below.

2. Perform any post-installation configuration, as described below, here.

3. Test and tune the deployment, as described below.

4. Install the universal forwarder with the tested configuration onto a source machine.

5. Stop the universal forwarder.

6. Run this CLI command on the forwarder:

./splunk clone-prep-clear-config

This clears instance-specific information, such as the server name and GUID, from the forwarder. This information will then be configured on each cloned forwarder at initial start-up.

7. Prep your image or virtual machine, as necessary, for cloning.

8. On *nix systems, set the splunkd daemon to start on boot using cron or your scheduling system of choice. On Windows, set the service to Automatic but do not start it.

9. Distribute system image or virtual machine clones to machines across your environment and start them.

10. Use the deployment monitor to verify that the cloned universal forwarders are functioning.

Referenced procedures

Steps in the above deployment procedure reference these subtopics.

Install the universal forwarder

Install the universal forwarder using the procedure specific to your operating system:

Important: On a Windows machine, if you do not want the universal forwarder to start immediately after installation, you must use the commandline interface. Using the proper commandline flags, you can configure the universal forwarder so that it does not start on the source machine when installed but does start automatically on the clones, once they're activated.

At the time of installation, you can also configure the universal forwarder. See "General configuration issues" in the Deployment Overview.

Perform additional configuration

You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as inputs.conf and outputs.conf. See "Deployment overview" for information.

For information on distributing configuration changes across multiple universal forwarders, see "About deployment server".

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer. You can use the deployment monitor to validate the universal forwarder.

PREVIOUS
Remotely deploy a *nix universal forwarder with a static configuration
  NEXT
Migrate a Windows light forwarder

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

The GUID reset can be achieved by manually deleting the $SPLUNK_HOME/etc/instance.cfg<br />The default host name can be reset by cleaning $SPLUNK_HOME/etc/system/local/inputs.conf

Ykherian, Splunker
August 20, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters