Integrate a universal forwarder onto a system image
This topic discusses the procedure to integrate a Splunk universal forwarder into a Windows system image. For additional information about integrating Splunk Enterprise into images, see Integrate Splunk Enterprise into system images.
Install and configure Windows and applications
- On a reference computer, install and configure Windows the way that you want, including installing Windows features, service packs, and other components.
- Install and configure necessary applications, taking into account Splunk's system and hardware capacity requirements.
- Install and configure the universal forwarder from the command line. You must supply at least the
LAUNCHSPLUNK=0
command line flag when you perform the installation. - Proceed through the graphical portion of the install, selecting the inputs, deployment servers, and/or forwarder destinations you want.
- After the installation has completed, open a command prompt or PowerShell window.
Edit configurations and run clone-prep-clear-config
- (Optional) Edit configuration files that were not configurable in the installer.
- Change to the universal forwarder
bin
directory. - Run
./splunk clone-prep-clear-config
. - Exit the command prompt or PowerShell window.
- In the Services Control Panel, configure the
splunkd
service to start automatically by setting its startup type to 'Automatic'. - Prepare the system image for domain participation using a utility such as Windows System Image Manager (WSIM). Microsoft recommends using
SYSPREP
or WSIM as the method to change machine Security Identifiers (SIDs) prior to cloning, as opposed to using third-party tools (such as Ghost Walker or NTSID.)
Clone and restore the image
- Restart the machine and clone it with your favorite imaging utility.
- After cloning the image, use the imaging utility to restore it into another physical or virtual machine.
- Run the cloned image. Splunk services start automatically.
- Use the CLI to restart Splunk Enterprise to remove the
cloneprep
information:splunk restart
You must restart Splunk Enterprise from the CLI to delete the
cloneprep
file. Restarting the Splunk service does not perform the deletion. - Confirm that the
$SPLUNK_HOME\cloneprep
file has been deleted.
The image is now ready for deployment.
Put Splunk Enterprise onto system images | Integrate an installation of Splunk Enterprise onto a system image |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!