Getting Data In

SCCM Package for deploying Splunk Universal Forwarder

dperre_splunk
Splunk Employee
Splunk Employee

The question is how do we install Splunk through SCCM and is there any prebuilt packages?

0 Karma
1 Solution

dperre_splunk
Splunk Employee
Splunk Employee

So answering my own question for the community. Whilst this is not Splunk official advice this is what I used in my former role.

Steps are to replace the msi path with the new MSI package, then update your deployment server IP address. Please note, this is setup without a default indexer to send data to. This allows you to customise it down the track :). Please provide feedback if this does not answer your question.

::splunk installer
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
if %OS%==32BIT GOTO Run32
if %OS%==64BIT GOTO Run64
:Run64
msiexec /i "%~dp0splunkforwarder-6.5.1-264376-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" SERVERNAME:PORT " /quiet
Set MSIError=%Errorlevel%
GOTO End
:Run32
msiexec /i "%~dp0splunkforwarder-6.5.1-264376-x86-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" SERVERNAME:PORT " /quiet
Set MSIError=%Errorlevel%
:End
exit /B %MSIError%

View solution in original post

dperre_splunk
Splunk Employee
Splunk Employee

So answering my own question for the community. Whilst this is not Splunk official advice this is what I used in my former role.

Steps are to replace the msi path with the new MSI package, then update your deployment server IP address. Please note, this is setup without a default indexer to send data to. This allows you to customise it down the track :). Please provide feedback if this does not answer your question.

::splunk installer
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT
if %OS%==32BIT GOTO Run32
if %OS%==64BIT GOTO Run64
:Run64
msiexec /i "%~dp0splunkforwarder-6.5.1-264376-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" SERVERNAME:PORT " /quiet
Set MSIError=%Errorlevel%
GOTO End
:Run32
msiexec /i "%~dp0splunkforwarder-6.5.1-264376-x86-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER=" SERVERNAME:PORT " /quiet
Set MSIError=%Errorlevel%
:End
exit /B %MSIError%

arrangineni
Path Finder

Can we define a stanza in the script to disable the perfmons metrics that are automatically getting enabled when using the script on the windows 2016 server, any ideas would be very helpful

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Hi arrangineni. I had a look at the docs here https://docs.splunk.com/index.php?title=Documentation:Forwarder:Forwarder:InstallaWindowsuniversalfo...

It seems that the default is not to enable perfmon. Are you sure that your deployment server is not enabling this?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I love it!

What about moving the package names to be variables at the top. That way you can edit those as builds change but not have to muck around in the script itself.

0 Karma

dstaulcu
Builder

Thanks for sharing. Speaking of install management. Here's a script of last resort that I use to remove the splunk agent on a host when updates or uninstalls routinely fail via MSI.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...