Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Integrate an installation of Splunk Enterprise onto a system image

Read this topic to learn how to integrate a full version of Splunk into a Windows system image. For additional information about integrating Splunk into images, see Put Splunk onto system images.

  1. Using a reference computer, install and configure Windows to your liking. Install any Windows features and components that you need, and confirm that Windows Update has applied the latest patches and security updates.
  2. Install and configure any applications that you need, taking into account the Splunk system and hardware capacity requirements.
  3. Install and configure Splunk Enterprise.

    You can install using the GUI Windows installer, but more options are available when you install the package using the command line.

  4. After you have configured the data inputs that you want Splunk Enterprise to collect, open a Windows command prompt.
  5. From this prompt, stop Splunk Enterprise by changing to the %SPLUNK_HOME%\bin directory and running .\splunk stop
  6. Remove any event data that Splunk Enterprise might have collected by running .\splunk clean eventdata.
  7. Close the command prompt window.
  8. Open the Services control panel and confirm that the splunkd and splunkweb services are set to start automatically by setting their startup type to 'Automatic'.
  9. Prepare the system image for domain participation using a utility such as Sysprep, Windows System Image Manager (WSIM), or Deployment Image Servicing and Management (DISM).

    Microsoft recommends using SYSPREP and WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.

  10. After you have configured the system for imaging, reboot the machine and clone it with your favorite imaging utility.

The image is now ready for deployment.

Last modified on 19 August, 2024
Integrate a universal forwarder onto a system image   Launch Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters