Getting Data In

How to deploy Splunk using a universal forwarder through Tivoli Endpoint Manager (TEM)?


Hi Guys,

We are at a phase where we need to deploy universal forwarder setup through Tivoli Endpoint Manager (TEM) over multiple servers.
However, for deploying through Tivoli, we need to create fixlets.
Is there any way to get the batch file from the Splunk Universal Forwarder or is there any other method to give it a try?

0 Karma

Splunk Employee
Splunk Employee

Many have used scripts such as:

Here is how you can create a system image of Splunk:

Perhaps this can help you since I don't have access to Tivoli.

0 Karma


Hi dmaislin ,

Thnaks for the response was a great hepl
Manged to deploy it by tivoli
However We deployed Splunk universal forwarder through tivoli which was pointing to the deployment server. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
We deployed Splunk-TA-Winodows through deployment server.
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?

0 Karma

Splunk Employee
Splunk Employee

You didn't prepare your system image that gets deployed correctly if there is a local folder that contains a system/local/inputs.conf with:

host =

If you follow these instructions:

Then you would prepare your image once it is setup correctly, and the command:

Run ./splunk clone-prep-clear-config.

Would clear out the inputs.conf in local. You don't need it since that inputs.conf will get created the moment the forwarder that gets deployed and starts up for the very first time.

0 Karma


If you're deploying Splunk_TA_windows through Deployment Server, it will control the whole app. However, any settings that you put in etc/system/local/inputs.conf will be merged with what's in the app and take precedence in the case of a conflict. Therefore, putting the hostname in etc/system/local/inputs.conf should do exactly what you want. You can always create local apps that aren't managed by Deployment Server, too, but in this particular case it's probably appropriate to use etc/system/local/inputs.conf.

For reference, details about configuration precedence are available at and "precedence order within global context" applies to your situation.

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...