Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Deploy a Windows universal forwarder via the installer GUI

This topic describes how to manually install, configure, and deploy the universal forwarder in a Windows environment using the installer GUI. It assumes that you're installing directly onto the Windows machine, rather than using a deployment tool. This type of scenario best suits these needs:

  • small deployments
  • proof-of-concept test deployments
  • system image or virtual machine for eventual cloning

If you are interested in a different deployment scenario or a different operating system, look for another topic in this section that better fits your needs.

This topic describes how to install the universal forwarder with the installer GUI. You can also install from the commandline, using msiexec. See "Deploy a Windows universal forwarder via the commandline" for more information.

Important: If you do not want the universal forwarder to start immediately after installation, you must use the commandline interface.

Before following the procedures in this topic, read "Deployment overview".

Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, as described in "Deployment overview", perform these steps:

1. Install the universal forwarder (with optional migration and configuration).

2. Test and tune the deployment.

3. Perform any post-installation configuration.

4. Deploy the universal forwarder across your environment.

Install the universal forwarder

The Windows installer guides you through the process of installing and configuring your universal forwarder. It also offers you the option of migrating your checkpoint settings from an existing Splunk forwarder.

To install the universal forwarder, double-click the appropriate MSI file:

  • splunkuniversalforwarder-<...>-x86-release.msi (for 32-bit platforms)
  • splunkuniversalforwarder-<...>-x64-release.msi (for 64-bit platforms)

The value of <...> varies according to the particular release; for example, splunkuniversalforwarder-4.2-86454-x64-release.msi.

Important: Running the 32-bit version of the universal forwarder on a 64-bit platform is not recommended. If you can run 64-bit universal forwarder on 64-bit hardware, we strongly recommend it. The performance is greatly improved over the 32-bit version.

A series of dialogs guide you through the installation. When you're through with a dialog, click Next to move to the next in the series. Here are the dialogs, in order:

1. "Welcome" dialog

To begin the installation, click Next.

2. "License Agreement" dialog

Read the license agreement and select "I accept the terms in the license agreement".

3. "Destination Folder" dialog

The universal forwarder is installed by default into the directory C:\Program Files\SplunkUniversalForwarder.

Click Change... to specify a different installation directory.

Important: Do not install the universal forwarder over an existing installation of full Splunk. This is particuarly vital if you will be migrating from a light forwarder as described in "Migrate a Windows light forwarder". The default install directory for full Splunk is C:\Program Files\Splunk, so, if you stick with the defaults, you're safe.

4. "Migration" pop-up

If the installer detects an existing version of Splunk, it will ask you whether you want to migrate the existing Splunk's data checkpoint settings to the universal forwarder. If you click Yes, it will automatically perform the migration.

Important: This is the only time when you can migrate old settings to this universal forwarder. You cannot perform the migration post-installation.

See "Migrate a Windows forwarder" for more information on what migration does.

5. "Deployment Server" dialog

Enter the hostname or IP address and management port for your deployment server. The default management port is 8089.

You can use the deployment server to push configuration updates to the universal forwarder. See "About deployment server" for details.

Note: This step is optional, but if you skip it, you must enter a receiving indexer in step 6; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to.

6. "Receiving Indexer" dialog

Enter the hostname or IP address and receiving port of the receiving indexer (receiver). For information on setting up a receiver, see "Enable a receiver".

Note: This step is optional, but if you skip it, you must enter a deployment server in step 5; otherwise, the universal forwarder will not be able function, as it will not have any way of determining which indexer to forward to.

7. "Certificate Information" dialog

Select an SSL certificate for verifying the identity of this machine (optional).

Depending on your certificate requirements, you may need to specify a password and a Root CA certificate to verify the identity of the certificate. If not, these fields can be left blank.

Note: This dialog will only appear if you previously specified a receiving indexer (step 6).

8. "Where do you want to get data from?" dialogs

This step in the installer requires one or two dialogs, depending on whether the universal forwarder will be collecting local data exclusively.

In the first dialog, you specify the user context: whether you want the universal forwarder to collect only local data or also remote Windows data. The installer uses this information to determine the permissions the universal forwarder needs.

Note: If you select Local data only, the universal forwarder will install as the local system user, and network resources will not be available to it. This is recommended for improved security, unless this universal forwarder will be collecting event logs or metrics from remote machines. For more help in determining what to select here, see "Choose the user the universal forwarder should run as".

Once you've made your choice, click Next.

If you specified Local data only, the installer skips the second screen and takes directly to the "Enable Windows Inputs" dialog (step 8).

If you specified Remote Windows data, the installer now takes you to a second dialog, where you need to enter domain and user information for this instance of the universal forwarder. The universal forwarder will run as the user you specify in this dialog.

The user you specify here must have permissions to:

  • Run as a service.
  • Read whatever files you are configuring it to monitor.
  • Collect event logs or performance metrics via WMI. This is a highly privileged action; see "Monitor WMI data" for more information.
  • Write to the universal forwarder's directory.

9. "Enable Windows Inputs" dialog

Select one or more Windows inputs from the list.

This step is optional. You can enable inputs later, by editing inputs.conf.

10. "Ready to Install the Program" dialog

Click Install to proceed.

The installer runs and displays the Installation Completed dialog.

Once the installation is complete, the universal forwarder automatically starts. SplunkForwarder is the name of the universal forwarder service. You should confirm that it is running.

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer. You can use the deployment monitor app to validate the universal forwarder.

If you migrated from an existing forwarder, make sure that the universal forwarder is forwarding data from where the old forwarder left off. If it isn't, you probably need to modify or add data inputs, so that they conform to those on the old forwarder.

Important: Migration does not automatically copy any configuration files; you must set those up yourself. The usual way to do this is to copy the files, including inputs.conf, from the old forwarder to the universal forwarder. Compare the inputs.conf files on the universal forwarder and the old forwarder to ensure that the universal forwarder has all the inputs that you want to maintain.

If you migrated from an existing forwarder, you can delete that old instance once your universal forwarder has been thoroughly tested and you're comfortable with the results.

Perform additional configuration

You can update your universal forwarder's configuration, post-installation, by directly editing its configuration files, such as inputs.conf and outputs.conf. You can also update the configuration using the CLI. See "Deployment overview" for information.

Note: When you use the CLI, you might need to authenticate into the Splunk forwarder to complete commands. The default credentials for a universal forwarder are:

Username: admin
Password: changeme

For information on distributing configuration changes across multiple universal forwarders, see "About deployment server".

Deploy the universal forwarder across your environment

If you need just a few universal forwarders, you might find it simpler just to repeat the manual installation process, as documented in this topic. If you need to install a larger number of universal forwarders, it will probably be easier to deploy them remotely with a deployment tool or else as part of a system image or virtual machine.

Uninstall the universal forwarder

To uninstall the universal forwarder, perform the following steps:

1. Use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the SplunkForwarder service.

Note: You can also stop the service from the command line with the following command:

NET STOP SplunkForwarder

2. Next, use the Add or Remove Programs control panel to uninstall the forwarder. On Windows 7 and Windows Server 2008, that option is available under Programs and Features.

Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Universal forwarder deployment overview
Deploy a Windows universal forwarder via the commandline

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters