Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Remotely deploy a Windows universal forwarder with a static configuration

You typically deploy the universal forwarder with a static configuration for one of these reasons:

  • You don't need to change the configuration later - "fire-and-forget".
  • You'll be making any post-installation changes with a non-Splunk deployment tool such as System Center Configuration Manager, Altris, or BigFix/Tivoli.

For this type of deployment, you install via the Windows command line interface. During installation, you must specify all configuration options and use silent mode (/quiet). See "Deploy a Windows universal forwarder via the command line" for information on the command line interface, including a list of supported flags, including those that enable low-privilege operation.

Steps to deployment

Once you have downloaded the universal forwarder and have planned your deployment, as described in "Universal forwarder deployment overview", perform these steps:

1. Install and configure the universal forwarder on a test machine, using the command line interface with the desired flags.

2. Test and tune the deployment.

3. Load the universal forwarder MSI into your deployment tool, specifying the tested flags.

4. Execute deployment with your deployment tool.

5. Review log files on the forwarder to confirm that it has connected to the receiving indexer.

Required installation flags

Besides specifying /quiet mode, you must include, at a minimum, these commandline flags:

  • RECEIVING_INDEXER="<server:port>"
  • At least one data input flag, such as WINEVENTLOG_APP_ENABLE=1. You can add as many data input flags as you need.

See "Deploy a Windows universal forwarder via the command line" for a list of all available command line flags.

Example installation

This example sets the universal forwarder to run as Local System user, get inputs from Windows security and system event logs, send data to indexer1, and launch automatically:

msiexec.exe /i splunkuniversalforwarder_x86.msi RECEIVING_INDEXER="indexer1:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

Deploy with a secure configuration

To deploy a secure configuration, you can specify an SSL certifcate. Use these installation flags:

  • CERTFILE=<c:\path\to\certfile.pem>
  • ROOTCACERTFILE=<c:\path\to\rootcacertfile.pem>
  • CERTPASSWORD=<password>

For more information, see this list of supported commandline flags.

Test the deployment

Test your configured universal forwarder on a single machine, to make sure it functions correctly, before deploying the universal forwarder across your environment. Confirm that the universal forwarder is getting the desired inputs and sending the right outputs to the indexer.

Last modified on 19 November, 2015
Deploy a Windows universal forwarder via the command line
Deploy a *nix universal forwarder manually

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters