Install the Splunk Add-on for Windows on universal forwarders
If you have a deployment with many universal forwarders, use the Splunk Enterprise Forwarder Management interface to distribute the add-on to those forwarders.
Download, configure, and install the Splunk Add-on for Windows
Make the Splunk Add-on for Windows available to Forwarder Management:
- Download the Splunk Add-on for Windows.
- Unarchive the downloaded file into an accessible location.
- Enable the input stanzas for the Windows data that the add-on should collect.
- After enabling input stanzas, copy the Splunk Add-on for Windows folder to
%SPLUNK_HOME%\etc\deployment-appson the deployment server. This is the Splunk Enterprise instance that runs Forwarder Management.
- Restart Splunk Enterprise on the deployment server.
- Note the host name or IP address and management port of the deployment server. You will use this information to configure deployment clients.
Set up universal forwarders as deployment clients
Set up universal forwarders as deployment clients to the Forwarder Management instance using one of the following methods:.
- Use the CLI to configure the forwarder as a deployment client:
> .\splunk set deploy-poll <IP address/hostname of Forwarder Management server>:<port>
- On the universal forwarder, edit
%SPLUNK_HOME%\etc\system\localand add the following text to the file:
[deployment-client] [target-broker:deploymentServer] targetUri= <IP address/hostname of Forwarder Management server>:<port>
After performing either method, restart the forwarder.
Set up server classes on the deployment server
After you configure the Splunk Add-on for Windows and set up the forwarders as deployment clients, define a server class for the forwarders on the deployment server instance.
- Log in to Splunk Enterprise on the deployment server.
- From Splunk Home, select Settings > Forwarder Management.
- Click the Server classes tab.
- Click New Server Class.
- In the dialog box, type a name for the server class.
- Click Save.
- Click Add Apps.
- Under Unselected Apps, select Splunk Add-on for WIndows.
- Click Save.
- Click Add clients.
- Specify the clients that should receive the Splunk Add-on for Windows by populating Include (whitelist). You can enter host names, DNS names, IP addresses, or a wild card that represents more than one deployment client. Separate multiple hostnames with commas. Alternately, you can specify clients that should not receive the add-on by entering host names, DNS names, IP addresses or wild cards in Exclude (blacklist) field. Do not specify a host in both fields, as this prevents any host from receiving the add-on.
- Click Save. Forwarder Management returns you to the Edit Server Class screen, which displays the clients that have received the Splunk Add-on for Windows.
Install the Splunk universal forwarder
Install the Splunk Add-on for Windows on a search head
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8