Splunk® Enterprise

Admin Manual

Put Splunk Enterprise onto system images

This topic explains the concepts of making Splunk Enterprise a part of every Windows system image or installation process. It also guides you through the general process of integration, regardless of the imaging utilities that you use.

Concepts for system integration on Windows

The main reason to integrate Splunk Enterprise into Windows system images is to ensure that Splunk Enterprise is available immediately when the machine is activated for use in the enterprise. This frees you from having to install and configure Splunk Enterprise after activation.

In this scenario, when a Windows system is activated, it immediately launches Splunk Enterprise after booting. Then, depending on the type of Splunk Enterprise instance installed and the configuration given, Splunk Enterprise either collects data from the machine and forwards it to an indexer (in many cases), or begins indexing data that is forwarded from other Windows machines.

System administrators can also configure Splunk Enterprise instances to contact a deployment server, which allows for further configuration and update management.

In many typical environments, universal forwarders on Windows machines send data to a central indexer or group of indexers, which then allow that data to be searched, reported and alerted on, depending on your specific needs.

Considerations for system integration

Integrating Splunk Enterprise into your Windows system images requires planning.

In most cases, the preferred Splunk Enterprise component to integrate into a Windows system image is a universal forwarder. The universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost. You can also modify the forwarder's configuration using the deployment server or an enterprise-wide configuration manager with no need to use Splunk Web to make changes.

In some situations, you may want to integrate a full instance of Splunk Enterprise into a system image. Where and when this is more appropriate depends on your specific needs and resource availability.

You should not include a full version of Splunk Enterprise in an image for a server that performs any other type of role, unless you have specific need for the capability that an indexer has over a forwarder. Installing multiple indexers in an enterprise does not give you additional indexing power or speed, and can lead to undesirable results.

Before integrating Splunk Enterprise into a system image, consider:

  • the amount of data you want Splunk Enterprise to index, and where you want it to send that data, if applicable. This feeds directly into disk space calculations, and should be a top consideration.
  • the type of Splunk Enterprise instance to install on the image or machine. Universal forwarders have a significant advantage when installing on workstations or servers that perform other duties, but might not be appropriate in some cases.
  • the available system resources on the imaged machine. How much disk space, RAM and CPU resources are available on each imaged system? Will it support a Splunk Enterprise installation?
  • the resource requirements of your network. Splunk Enterprise needs network resources, whether you're using it to connect to remote machines using WMI to collect data, or you're installing forwarders on each machine and sending that data to an indexer.
  • the system requirements of other programs installed on the image. If Splunk Enterprise is sharing resources with another server, it can take available resources from those other programs. Consider whether or not you should install other programs on a workstation or server that is running a full instance of Splunk Enterprise. A universal forwarder will work better in cases like this, as it is designed to be lightweight.
  • the role that the imaged machine plays in your environment. Will it be a workstation only running productivity applications like Office? Or will it be an operations master domain controller for your Active Directory forest?

Integrate Splunk Enterprise into a system image

Once you have determined the answers to the questions in the checklist above, the next step is to integrate Splunk Enterprise into your system images. The steps listed are generic, allowing you to use your favorite system imaging or configuration tool to complete the task.

Choose one of the following options for system integration:

Last modified on 30 September, 2019
Deploy Splunk Enterprise on Windows   Integrate a universal forwarder onto a system image

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters