Splunk® Enterprise

Add Microsoft Windows data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for Windows on universal forwarders

If you have a deployment with many universal forwarders, use the Splunk Enterprise Forwarder Management interface to distribute the add-on to those forwarders.

Download, configure, and install the Splunk Add-on for Windows

Make the Splunk Add-on for Windows available to Forwarder Management:

  1. Download the Splunk Add-on for Windows.
  2. Unarchive the downloaded file into an accessible location.
  3. Remove transforms.conf.spec from the $SPLUNK_HOME/etc/apps/Splunk_TA_windows/README directory.
  4. Enable the input stanzas for the Windows data that the add-on should collect.
  5. After enabling input stanzas, copy the Splunk Add-on for Windows folder to %SPLUNK_HOME%\etc\deployment-apps on the deployment server. This is the Splunk Enterprise instance that runs Forwarder Management.
  6. Restart Splunk Enterprise on the deployment server.
  7. Note the host name or IP address and management port of the deployment server. You will use this information to configure deployment clients.

Set up universal forwarders as deployment clients

Set up universal forwarders as deployment clients to the Forwarder Management instance using one of the following methods:.

  • Use the CLI to configure the forwarder as a deployment client:
> .\splunk set deploy-poll <IP address/hostname of Forwarder Management server>:<port>
  • On the universal forwarder, edit deploymentclient.conf in %SPLUNK_HOME%\etc\system\local and add the following text to the file:
[deployment-client]
[target-broker:deploymentServer]
targetUri= <IP address/hostname of Forwarder Management server>:<port>

After performing either method, restart the forwarder.

Set up server classes on the deployment server

After you configure the Splunk Add-on for Windows and set up the forwarders as deployment clients, define a server class for the forwarders on the deployment server instance.

  1. Log in to Splunk Enterprise on the deployment server.
  2. From Splunk Home, select Settings > Forwarder Management.
  3. Click the Server classes tab.
  4. Click New Server Class.
  5. In the dialog box, type a name for the server class.
  6. Click Save.
  7. Click Add Apps.
  8. Under Unselected Apps, select Splunk Add-on for WIndows.
  9. Click Save.
  10. Click Add clients.
  11. Specify the clients that should receive the Splunk Add-on for Windows by populating Include (whitelist). You can enter host names, DNS names, IP addresses, or a wild card that represents more than one deployment client. Separate multiple hostnames with commas. Alternately, you can specify clients that should not receive the add-on by entering host names, DNS names, IP addresses or wild cards in Exclude (blacklist) field. Do not specify a host in both fields, as this prevents any host from receiving the add-on.
  12. Click Save. Forwarder Management returns you to the Edit Server Class screen, which displays the clients that have received the Splunk Add-on for Windows.
Last modified on 11 August, 2020
Install the Splunk universal forwarder   Install the Splunk Add-on for Windows on a search head

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters