Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for Windows with Forwarder Management

If you have a deployment with many universal forwarders and want to deploy the Splunk Add-on for Windows to them, use the Splunk Enterprise Forwarder Management interface to distribute the add-on to those forwarders.

Deploying the Splunk Add-on for Windows with Forwarder Management is a different process than deploying the add-on manually. In this scenario, you download and configure the add-on first, then place it into a Splunk Enterprise instance that has the Forwarder Management capability activated. Then, you set up a server class that tells Forwarder Management to deploy the add-on to available clients. Finally, you configure the forwarders as deployment clients of the Forwarder Management instance.

Prerequisites

Before you can distribute apps and add-ons using Forwarder Management, you must complete the following steps:

  • Download and configure the Splunk Add-on for Windows. See Configure the Splunk Add-on for Windows.
  • Place the configured add-on into a full Splunk Enterprise instance that you have designated as a deployment server/Forwarder Management instance (All Splunk Enterprise instances have this capability enabled by default).
  • Configure the universal forwarders in your deployment to be deployment clients of this Splunk Enterprise instance.
  • Create a server class that tells Forwarder Management to send the add-on to all Windows universal forwarders in the deployment.

Download, configure, and install the Splunk Add-on for Windows

To use Forwarder Management, you must have at least one app or add-on available to push to forwarders. In this scenario, the add-on is the Splunk Add-on for Windows.

  1. Download the Splunk Add-on for Windows.
  2. Unarchive the downloaded file into an accessible location.
  3. Configure the Splunk Add-on for Windows. Enable the input stanzas for the Windows data that you want the add-on to collect.
  4. After enabling input stanzas, copy the Splunk Add-on for Windows folder to %SPLUNK_HOME%\etc\deployment-apps on the deployment server (the Splunk Enterprise instance that runs Forwarder Management.)
  5. Restart Splunk Enterprise on the deployment server.
  6. Write down the host name or IP address and management port of the deployment server. You need it later to configure deployment clients.

Set up universal forwarders to be deployment clients

Before you can deploy add-ons and configurations to forwarders, they must first be set up as deployment clients to the Forwarder Management instance. You can do this either when you install the forwarders, or at any time after you install them.

During forwarder installation process

On Windows hosts, the universal forwarder installer lets you specify a deployment server during the installation process. See Install a Windows universal forwarder from an installer in the Universal Forwarder manual.

When you reach the Deployment server pane during installation, specify the IP address or host name and management port of the deployment server instance.

Complete your installation, and the forwarder should then appear in the Forwarder Management page on the Forwarder Management instance.

On forwarders you have already installed

You can either use the CLI or edit a configuration file to set the deployment server on a universal forwarder. For more information on configuring a deployment server, see Configure deployment clients in the Splunk Enterprise Updating Instances Manual.

  1. (Optional) If you have already set up a forwarder, use the CLI to configure it as a deployment client:
    > .\splunk set deploy-poll <IP address/hostname of Forwarder Management server>:<port>
    
  2. (Optional) On the universal forwarder, edit deploymentclient.conf in %SPLUNK_HOME%\etc\system\local and add the following text to the file:
    [deployment-client]
    
    [target-broker:deploymentServer]
    targetUri= <IP address/hostname of Forwarder Management server>:<port>
    
  3. After performing either method, restart the forwarder.

Set up server classes on the deployment server

After you configure the Splunk Add-on for Windows and set up the forwarders as deployment clients, define a server class for the forwarders on the deployment server instance.

  1. Log in to Splunk Enterprise on the deployment server.
  2. From Splunk Home, select "Settings > Forwarder Management". Splunk Enterprise loads the Forwarder Management page.
  3. Click the "Server classes" tab.
  4. Click "New Server Class".
  5. In the dialog box that appears, type in a name for the server class.
  6. Click "Save". Splunk Enterprise loads the "Edit Server Class" screen.
  7. Click the "Add Apps" button. Splunk Enterprise loads the "Add Apps" screen.
  8. In the "Unselected Apps" pane, click the "Splunk Add-on for WIndows" entry. It moves over to the "Selected Apps" pane. Note: If you do not see the Splunk Add-on for Windows in the "Unselected Apps" pane, confirm that you copied the add-on into the %SPLUNK_HOME%\etc\deployment-apps directory on the deployment server instance and restarted Splunk Enterprise on that instance.
  9. Click "Save". Splunk Enterprise returns to the "Edit Server Class" screen.
  10. Click the "Add clients" button. Splunk Enterprise loads the "Edit Clients" screen.
  11. Specify the clients that you want to receive the Splunk Add-on for Windows by entering a string in the "Include (whitelist)" field that represents a list of the clients that should receive the add-on.

    You can enter host names, DNS names, IP addresses, or a wild card that represents more than one deployment client. Separate multiple hostnames with commas. Alternatively, you can specify clients that should not receive the add-on by entering host names, DNS names, IP addresses or wild cards in the "Exclude (blacklist)" field.

    Note: If you specify a host in both fields, by default that host does not receive the add-on. See Use forwarder management to manage clients in the Splunk Enterprise Updating Splunk Enterprise Instances Manual for information on how allowlists and blockllists work.
  12. Click "Save". Forwarder Management returns you to the "Edit Server Class" screen and updates to let you know which clients have received the Splunk Add-on for Windows.
  13. (Optional) Make additional updates to the server class or click "Back to Forwarder Management" to return to the main Forwarder Management screen.
Last modified on 06 January, 2021
Install the Splunk Add-on for Windows   Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1

This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters