Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Integrate full Splunk Enterprise onto a system image

This topic discusses the procedure to integrate a full version of Splunk into a Windows system image. For additional information about integrating Splunk into images, see "Put Splunk onto system images" in this manual.

To integrate a full version of Splunk into a system image:

1. Using a reference computer, install and configure Windows to your liking, including installing any needed Windows features, patches and other components.

2. Install and configure any necessary applications, taking into account Splunk's system and hardware capacity requirements.

3. Install and configure Splunk.

Important: You can install using the GUI installer, but more options are available when installing the package from the command line.

4. Once you have configured Splunk inputs, open a command prompt.

5. From this prompt, stop Splunk by changing to the %SPLUNK_HOME%\bin directory and issuing a .\splunk stop

6. Clean any event data by issuing a .\splunk clean eventdata.

7. Close the command prompt window.

8. Ensure that the splunkd and splunkweb services are set to start automatically by setting their startup type to 'Automatic' in the Services Control Panel.

9. Prepare the system image for domain participation using a utility such as SYSPREP (for Windows XP and Windows Server 2003/2003 R2) and/or Windows System Image Manager (WSIM) (for Windows Vista, Windows 7, and Windows Server 2008/2008 R2).

Note: Microsoft recommends using SYSPREP and WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)

10. Once you have configured the system for imaging, reboot the machine and clone it with your favorite imaging utility.

The image is now ready for deployment.

Last modified on 30 September, 2019
Integrate a universal forwarder onto a system image
Launch Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Hi all,

Yes, "clone-pre-clear-config" works on Enterprise instances as well as universal forwarders.

Malmoore, Splunker
December 4, 2018

Good question Kenoski. I have seen the clone-prep-clear-config command ran before taking a universal forwarder host machine image for deployment. I was curious to know if this would be good to perform on a Splunk Enterprise instance.

I am looking to fine tune my Splunk Enterprise VM and appreciate any advice in this area.

Thanks, Ken

December 2, 2018

Should the command .\splunk clone-prep-clear-config be run to clear out all of the machine specific configuration data from the Indexer that is to be included as part of an image? I have seen configuration specific information still be included in the indexer after running .\splunk clean all

March 17, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters