When you manually run the Windows Universal Forwarder .msi installer on a windows workstation, part of the setup process asks you to install the Technology Add-On for windows, (built in to the forwarder installer,) at the same time. After the manual install completes the forwarder starts sending windows event log data to the indexer specified during the install process. When I try to push the installer using command line options the TA does not get installed and there is no option in the documentation that I can find to get it to install. This causes the forwarder to check in with the indexer as specified on the command line but not start sending windows event log data as also specified on the install command line.
Is there a way to have the universal forwarder install also install the TA like it does when you manually run the installer or do I have push the TA as a separate process?
I'm not so sure the question is accurate. The Windows TA is not built into the forwarder. Some Windows components are built in, but not the entire Windows TA.
There is documentation for enabling Windows inputs in the Universal Forwarder from the command line that can be run locally or remotely. See:
If you want to install the full Windows TA, then you must either do it manually, or use a deployment server. See this document:
For my Windows systems I do not enable any Windows inputs on the Universal Forwarder because I like to control them from the deployment server with custom Windows TA apps.
I've not been able to upgrade to 6.0 yet, but according the document I posted above the inputs should be enableable from the command line install options.
You did not post your command line install string, so I'm assuming you tried to enable the inputs. If that did not also install the TA AND the inputs don't work, which would be expected even if the inputs have been separated, then I think you found two bugs. One, pushing the forwarder install does not enable windows inputs, and two the windows inputs have removed from the forwarder, but the TA cannot be installed via command line.
Thanks for your response. My question is entirely accurate though.
The Windows TA IS built in to at least version 6.0-182611 of the Splunk Forwarder for Windows. Try installing the forwarder manually on a Windows machine that has not had the TA installed.
The Universal Forwarder - InstallShield Wizard asks you to select a Splunk Technology Add-on for Windows installation. You get 2 choices,
Install the Splunk Technology Add-on for Windows included with this installer (Recommended) ver 4.6.4-182495
Install an existing local copy of the Splunk Technology Add-on for Windows.
Thank you! I've just spent 30 minutes googling unsuccessfully for this particular tidbit of information. I knew the TA had been rolled into the window SUF package, but could not find that mentioned in any release notes.