Put Splunk Enterprise onto system images
This topic explains the concepts of making Splunk Enterprise a part of every Windows system image or installation process. It also guides you through the general process of integration, regardless of the imaging utilities that you use.
- For more specific information about getting Windows data into the Splunk platform, review Monitoring Windows data with Splunk Enterprise in the Getting Data In manual.
- For information on distributed Splunk Enterprise deployments, read Distributed overview in the Distributed Deployment Manual. This overview is essential reading for understanding how to set up Splunk platform deployments, irrespective of the operating system that you use. For information about the distributed deployment capabilities of Splunk Enterprise, see About deployment server and forwarder management in Updating Splunk Enterprise Instances.
- For information about planning larger Splunk platform deployments, read Introduction to capacity planning for Splunk Enterprise in the Capacity Planning Manual and Deploy Splunk Enterprise on Windows in this manual.
Concepts for system integration on Windows
The main reason to integrate Splunk Enterprise into Windows system images is to ensure that Splunk Enterprise is available immediately when the machine is activated for use in the enterprise. This frees you from having to install and configure Splunk Enterprise after activation.
In this scenario, when a Windows system is activated, it immediately launches Splunk Enterprise after booting. Then, depending on the type of Splunk Enterprise instance installed and the configuration given, Splunk Enterprise either collects data from the machine and forwards it to an indexer (in many cases), or begins indexing data that is forwarded from other Windows machines.
System administrators can also configure Splunk Enterprise instances to contact a deployment server, which allows for further configuration and update management.
In many typical environments, universal forwarders on Windows machines send data to a central indexer or group of indexers, which then allow that data to be searched, reported and alerted on, depending on your specific needs.
Considerations for system integration
Integrating Splunk Enterprise into your Windows system images requires planning.
In most cases, the preferred Splunk Enterprise component to integrate into a Windows system image is a universal forwarder. The universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost. You can also modify the forwarder's configuration using the deployment server or an enterprise-wide configuration manager with no need to use Splunk Web to make changes.
In some situations, you may want to integrate a full instance of Splunk Enterprise into a system image. Where and when this is more appropriate depends on your specific needs and resource availability.
You should not include a full version of Splunk Enterprise in an image for a server that performs any other type of role, unless you have specific need for the capability that an indexer has over a forwarder. Installing multiple indexers in an enterprise does not give you additional indexing power or speed, and can lead to undesirable results.
Before integrating Splunk Enterprise into a system image, consider:
- the amount of data you want Splunk Enterprise to index, and where you want it to send that data, if applicable. This feeds directly into disk space calculations, and should be a top consideration.
- the type of Splunk Enterprise instance to install on the image or machine. Universal forwarders have a significant advantage when installing on workstations or servers that perform other duties, but might not be appropriate in some cases.
- the available system resources on the imaged machine. How much disk space, RAM and CPU resources are available on each imaged system? Will it support a Splunk Enterprise installation?
- the resource requirements of your network. Splunk Enterprise needs network resources, whether you're using it to connect to remote machines using WMI to collect data, or you're installing forwarders on each machine and sending that data to an indexer.
- the system requirements of other programs installed on the image. If Splunk Enterprise is sharing resources with another server, it can take available resources from those other programs. Consider whether or not you should install other programs on a workstation or server that is running a full instance of Splunk Enterprise. A universal forwarder will work better in cases like this, as it is designed to be lightweight.
- the role that the imaged machine plays in your environment. Will it be a workstation only running productivity applications like Office? Or will it be an operations master domain controller for your Active Directory forest?
Integrate Splunk Enterprise into a system image
Once you have determined the answers to the questions in the checklist above, the next step is to integrate Splunk Enterprise into your system images. The steps listed are generic, allowing you to use your favorite system imaging or configuration tool to complete the task.
Choose one of the following options for system integration:
Deploy Splunk Enterprise on Windows
Integrate a universal forwarder onto a system image
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0