Getting Data In

How to create a golden image of Windows 2008R2 with a Splunk universal forwarder?

New Member

Hello,

I am trying to create a golden image of Windows 2008r2 with a Splunk forwarder on it. I tried running the command SplunkUniversalForwarder\bin\splunk cone-prep-clear-config, but I got an error stating cone-prep-clear-config is not a valid command. I have successfully ran this command on Linux. Am I supposed to use some other command for Windows?

Error:

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe cone-prep-clear-config
Command error: 'cone-prep-clear-config' is not a valid command.  Please run 'splunk help' to see the valid commands.
Data forwarding configuration management tools.
  Commands:
      enable local-index [-parameter <value>] ...
      disable local-index [-parameter <value>] ...
      display local-index
      add [forward-server|search-server] server
      remove [forward-server|search-server] server
      list [forward-server|search-server]
  Objects:
      forward-server       a Splunk forwarder to forward data to be indexed
      search-server        a Splunk server to forward searches
      local-index          a local search index on the Splunk server
0 Karma

Path Finder

dhruva123
Make sure when you install the universal forwarder that you use the command line switch LAUNCHSPLUNK=0
That stops the universal forwarder from starting after the installation is complete otherwise the splunk.exe clone-prep-clear-config command won't be able to clear all the files.
Make sure this is the last thing you do before you power off the master/golden image for the last time. If you reboot you will need to stop the universal forwarder service again and rerun the splunk.exe clone-prep-clear-config command again.

SplunkTrust
SplunkTrust

Per the docs on integrating a universal forwarder onto a system image, it's

C:\Program Files\SplunkUniversalForwarder\bin> splunk.exe clone-prep-clear-config

You had "cone" instead of "clone". Don't know if that was your actual problem or not, but it could be.