Hey @DavidHourani , Thanks for answer!

Yes, I have followed this article, but when I type "splunk install app -auth :", I receive this message error:

Did not find "disabled" setting of "kvstore" stanza in server bundle.
Couldn't complete HTTP request: Winsock error #10022

This error is from event viewer:

Faulting application name: SplunkD.EXE, version: 2048.256.24031.1943, time stamp: 0x5ddf0b24
Faulting module name: ucrtbase.DLL, version: 10.0.10586.212, time stamp: 0x56fa10e8
Exception code: 0xc0000409
Fault offset: 0x00000000000698fe
Faulting process id: 0x142c
Faulting application start time: 0x01d5cc7ddfb89889
Faulting application path: C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE
Faulting module path: C:\Program Files\SplunkUniversalForwarder\bin\ucrtbase.DLL
Report Id: 1e9fe115-3871-11ea-941d-44a8421b43ed
Faulting package full name:
Faulting package-relative application ID:

could you please post what's in internal logs ? In splunkd.log

Hey @DavidHourani

here is the logs,

01-17-2020 08:05:00.383 -0800 WARN DC:DeploymentClient - DeploymentClient explicitly disabled through config.
01-17-2020 08:05:00.383 -0800 WARN SHCConfig - Default pass4symkey is being used. Please change to a random one.
01-17-2020 08:05:00.633 -0800 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
01-17-2020 08:05:00.992 -0800 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:
01-17-2020 08:05:01.008 -0800 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

thanks in advance.

Marcelo Amorim

is there any local firewall running on your machine ? Anything that might be blocking the traffic ?