Deploy the Splunk Add-on for Windows with Forwarder Management
If you have a deployment with many universal forwarders and want to deploy the Splunk Add-on for Windows to them, use the Splunk Enterprise Forwarder Management interface to distribute the add-on to those forwarders.
Deploying the Splunk Add-on for Windows with Forwarder Management is a different process than deploying the add-on manually. In this scenario, you download and configure the add-on first, then place it into a Splunk Enterprise instance that has the Forwarder Management capability activated. Then, you set up a server class that tells Forwarder Management to deploy the add-on to available clients. Finally, you configure the forwarders as deployment clients of the Forwarder Management instance.
Before you can distribute apps and add-ons using Forwarder Management, you must:
- Download and configure the Splunk Add-on for Windows.
- Place the configured add-on into a full Splunk Enterprise instance that you have designated as a deployment server/Forwarder Management instance (All Splunk Enterprise instances have this capability enabled by default).
- Configure the universal forwarders in your deployment to be deployment clients of this Splunk Enterprise instance.
- Create a server class that tells Forwarder Management to send the add-on to all Windows universal forwarders in the deployment.
Download, configure, and install the Splunk Add-on for Windows
To use Forwarder Management, you must have at least one app or add-on available to push to forwarders. In this scenario, the add-on is the Splunk Add-on for Windows.
- Download the Splunk Add-on for Windows.
- Unarchive the downloaded file into an accessible location.
- Configure the Splunk Add-on for Windows. Enable the input stanzas for the Windows data that you want the add-on to collect.
- After enabling input stanzas, copy the Splunk Add-on for Windows folder to
%SPLUNK_HOME%\etc\deployment-appson the deployment server (the Splunk Enterprise instance that runs Forwarder Management.)
- Restart Splunk Enterprise on the deployment server.
- Write down the host name or IP address and management port of the deployment server. You need it later to configure deployment clients.
Set up universal forwarders to be deployment clients
Before you can deploy add-ons and configurations to forwarders, they must first be set up as deployment clients to the Forwarder Management instance. You can do this either when you install the forwarders, or at any time after you install them.
During forwarder installation process
On Windows hosts, the universal forwarder installer lets you specify a deployment server during the installation process. See Install a Windows universal forwarder from an installer in the Universal Forwarder manual.
When you reach the "Deployment server" pane during installation, specify the IP address or host name and management port of the deployment server instance.
Complete installation and the forwarder should then appear in the Forwarder Management page on the Forwarder Management instance.
On forwarders you have already installed
You can either use the CLI or edit a configuration file to set the deployment server on a universal forwarder. For more information on configuring a deployment server, see Configure deployment clients in the Splunk Enterprise Updating Instances Manual.
- (Optional) If you have already set up a forwarder, use the CLI to configure it as a deployment client:
> .\splunk set deploy-poll <IP address/hostname of Forwarder Management server>:<port>
- (Optional) On the universal forwarder, edit
%SPLUNK_HOME%\etc\system\localand add the following text to the file:
[deployment-client] [target-broker:deploymentServer] targetUri= <IP address/hostname of Forwarder Management server>:<port>
- After performing either method, restart the forwarder.
Set up server classes on the deployment server
After you configure the Splunk Add-on for Windows and set up the forwarders as deployment clients, define a server class for the forwarders on the deployment server instance.
- Log in to Splunk Enterprise on the deployment server.
- From Splunk Home, select "Settings > Forwarder Management". Splunk Enterprise loads the Forwarder Management page.
- Click the "Server classes" tab.
- Click "New Server Class".
- In the dialog box that appears, type in a name for the server class.
- Click "Save". Splunk Enterprise loads the "Edit Server Class" screen.
- Click the "Add Apps" button. Splunk Enterprise loads the "Add Apps" screen.
- In the "Unselected Apps" pane, click the "Splunk Add-on for WIndows" entry. It moves over to the "Selected Apps" pane.
Note: If you do not see the Splunk Add-on for Windows in the "Unselected Apps" pane, confirm that you copied the add-on into the
%SPLUNK_HOME%\etc\deployment-appsdirectory on the deployment server instance and restarted Splunk Enterprise on that instance.
- Click "Save". Splunk Enterprise returns to the "Edit Server Class" screen.
- Click the "Add clients" button. Splunk Enterprise loads the "Edit Clients" screen.
- Specify the clients that you want to receive the Splunk Add-on for Windows by entering a string in the "Include (whitelist)" field that represents a list of the clients that should receive the add-on.
You can enter host names, DNS names, IP addresses, or a wild card that represents more than one deployment client. Separate multiple hostnames with commas. Alternatively, you can specify clients that should not receive the add-on by entering host names, DNS names, IP addresses or wild cards in the "Exclude (blacklist)" field.
Note: If you specify a host in both fields, by default that host does not receive the add-on. See Use forwarder management to manage clients in the Splunk Enterprise Updating Splunk Enterprise Instances Manual for information on how whitelists and blacklists work.
- Click "Save". Forwarder Management returns you to the "Edit Server Class" screen and updates to let you know which clients have received the Splunk Add-on for Windows.
- (Optional) Make additional updates to the server class or click "Back to Forwarder Management" to return to the main Forwarder Management screen.
Deploy the Splunk Add-on for Windows in a distributed environment
Configure the Splunk Add-on for Windows
This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4