Getting Data In

Why aren't my command line flags working when installing a Universal Forwarder (UF) via Power Shell on Windows?

hettervik
Builder

Hi,

I'm testing an install of a Splunk UF on a Windows server using the Power Shell command line. The server is supposed to be used as a golden image for provisioning, so I have to prepare the UF for cloning. The Power Shell command I'm using is the following.

msiexec.exe /i .\splunkforwarder-7.0.1-<id>-x64-release.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="<servername>" LAUNCHSPLUNK=0 CLONEPREP=1 SERVICESTARTTYPE=manual SPLUNKPASSWORD=<password> /quiet

My problem is that some of the flags don't seem to have any effect on it at all. The flags AGREETOLICENSE, DEPLOYMENT_SERVER, and LAUNCHSPLUNK all works fine, but the flags CLONEPREP and SERVICESTARTTYPE do nothing. The UF service is still sat to "automatic", and the servername of the host I'm installing on is still written to server.conf and inputs.conf. I get no output on the terminal indicating that something is wrong.

Also, I've asked the Splunk Documentation Team about the CLONEPREP flag and they confirmed that the flag should work with recent versions of the software.

Does anyone have any idea on why the flags aren't working, or how to troubleshoot this issue?

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @hettervi,

Unfortunately SERVICESTARTTYPE does not work. We have a bug tracking that issue. It looks like CLONEPREP should, though. If you enable MSI logging, do the logs mention "ClonePrepClearConfig" at all?

Cheers,

- Jo.

hettervik
Builder

Hi @jhornsby,

Thanks! That would explain why SERVICESTARTTYPE doesn't work. I guess the easiest solution to make the service "manual" is to use a GPO in Windows, or perhaps add an additional service-change command in Power Shell after the msiexec-command.

About CLONEPREP, I actually found out something interesting just today. It started working if I removed the SPLUNKPASSWORD flag. If I uninstalled the UF and added the SPLUNKPASSWORD flag again, it stopped working.

I haven't looked in the logs yet for further troubleshooting.

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @hettervi,

Yeah, either of those should work. Don't forget to make sure that the msiexec.exe has finished using Out-Null, or whatever! &:)

And interesting about the CLONEPREP vs SPLUNKPASSWORD thing. I may look into that as part of a different issue I'm working on.

Cheers,

- Jo.

althomas
Communicator

It's a dull answer, but unfortunately it's because they're not supported flags (at least according to the documentation)

https://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonWindowsviathecommandline

0 Karma

hettervik
Builder

Hi. You're looking at the install documentation for Splunk Enterprise. I'm looking to install a Splunk UF. The document for installing a Windows universal forwarder (version 7.0.1) from the command line states that the flags I'm mentioning should be usable.

http://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/InstallaWindowsuniversalforwarderfrom...

0 Karma

althomas
Communicator

Ah right you are -- sorry

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...