Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- windows agent msi installation string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our old msi install string does not seem to work for our manual installs with newer splunk 4.3.x agents
we used the following string on older installs, any ideas why this does not work with the automated msi installer?
msiexec.exe /i splunk-4.1.6-89596-x64-release.msi WINEVENTLOGAPPCHECK=1 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 WMICHECK_CPUTIME=1 WMICHECK_LOCALDISK=1 WMICHECK_FREEDISK=1 WMICHECK_MEMORY=1 AUTOSTARTSERVICE_SPLUNKD=1 AUTOSTARTSERVICE_SPLUNKWEB=0 SPLUNK_APP=SplunkLightForwarder FORWARD_SERVER="spfd.shared-bo.ilg1.vrsn.com:9997" LAUNCHSPLUNK=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the full splunk or the universal forwarder for 4.3.x?
From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.
I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs
msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi
WINEVENTLOG_APP_ENABLE=1
WINEVENTLOG_SYS_ENABLE=1
WINEVENTLOG_SEC_ENABLE=1
WINEVENTLOG_SET_ENABLE=1
WINEVENTLOG_FWD_ENABLE=1
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997"
LAUNCHSPLUNK=0
NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the full splunk or the universal forwarder for 4.3.x?
From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.
I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs
msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi
WINEVENTLOG_APP_ENABLE=1
WINEVENTLOG_SYS_ENABLE=1
WINEVENTLOG_SEC_ENABLE=1
WINEVENTLOG_SET_ENABLE=1
WINEVENTLOG_FWD_ENABLE=1
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997"
LAUNCHSPLUNK=0
NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian, our IT guys were using older pre-universal forwarder clients for a while. I was looking for the updated strings to use for the universal forwarder. Thanks for the link to the docs didnt catch that.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
