- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: windows agent msi installation string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our old msi install string does not seem to work for our manual installs with newer splunk 4.3.x agents
we used the following string on older installs, any ideas why this does not work with the automated msi installer?
msiexec.exe /i splunk-4.1.6-89596-x64-release.msi WINEVENTLOGAPPCHECK=1 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 WMICHECK_CPUTIME=1 WMICHECK_LOCALDISK=1 WMICHECK_FREEDISK=1 WMICHECK_MEMORY=1 AUTOSTARTSERVICE_SPLUNKD=1 AUTOSTARTSERVICE_SPLUNKWEB=0 SPLUNK_APP=SplunkLightForwarder FORWARD_SERVER="spfd.shared-bo.ilg1.vrsn.com:9997" LAUNCHSPLUNK=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the full splunk or the universal forwarder for 4.3.x?
From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.
I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs
msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi
WINEVENTLOG_APP_ENABLE=1
WINEVENTLOG_SYS_ENABLE=1
WINEVENTLOG_SEC_ENABLE=1
WINEVENTLOG_SET_ENABLE=1
WINEVENTLOG_FWD_ENABLE=1
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997"
LAUNCHSPLUNK=0
NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the full splunk or the universal forwarder for 4.3.x?
From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.
I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs
msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi
WINEVENTLOG_APP_ENABLE=1
WINEVENTLOG_SYS_ENABLE=1
WINEVENTLOG_SEC_ENABLE=1
WINEVENTLOG_SET_ENABLE=1
WINEVENTLOG_FWD_ENABLE=1
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997"
LAUNCHSPLUNK=0
NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian, our IT guys were using older pre-universal forwarder clients for a while. I was looking for the updated strings to use for the universal forwarder. Thanks for the link to the docs didnt catch that.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
