Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Powershell for splunk forwarder installation

koe600
Explorer
‎10-14-2021 05:45 AM

I can't make this script work for forwarder deployment. It takes up a lot of time to deploy to many servers..

I guess it has som obvious flaw that i can't see...
My script:

[Edit]

$DEPLOYMENT_SERVER="SPLUNK-05:8089"
$RECEIVING_INDEXER="SPLUNK-05:9997"
$MONITOR_PATH="C:\Temp\"
$CERTFILE="c:\temp\cert.pfx"
$CERTPASSWORD="pass"
$LOGON_USERNAME="Admin"
$LOGON_PASSWORD="pass"
$SET_ADMIN_USER=1
$SPLUNKUSERNAME="Admin"
$SPLUNKPASSWORD="pass"
$AGREETOLICENSE="yes"

msiexec.exe /i "\\server\splunkforwarder-8.1.2-545206cc9f70-x64-release.msi" DEPLOYMENT_SERVER=$DEPLOYMENT_SERVER RECEIVING_INDEXER=$RECEIVING_INDEXER MONITOR_PATH=$MONITOR_PATH CERTFILE=$CERTFILE CERTPASSWORD=$CERTPASSWORD SET_ADMIN_USER=$SET_ADMIN_USER SPLUNKUSERNAME=$SPLUNKUSERNAME SPLUNKPASSWORD=$SPLUNKPASSWORD AGREETOLICENSE=$AGREETOLICENSE /Quiet

Labels (3)
0 Karma
Reply

jho-splunk
Splunk Employee
Splunk Employee
‎10-14-2021 06:05 AM

Hi @koe600,

The syntax for setting properties on the msiexec.exe command line is simply

 

NAME=value

 

 Not:

 

/NAME=value

 

Cheers,

 

 - Jo.

Tags (1)
Reply

koe600
Explorer
‎10-14-2021 06:13 AM

@jho-splunk : The original script doesn't contain slashes, just me trying to figure out wht it doesn't work.

I removed the slashes from the post now, i realize it would create confusion.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2021 05:54 AM

Question is what error you get. "I can't make it work" is not very descriptive.

 

0 Karma
Reply

koe600
Explorer
‎10-14-2021 06:02 AM

No error.
If i run with /quiet, the script ends instantly.
If i run the script without /quiet, it just opens the regular install dialog..

Seems like it doesn't care about all the arguments..

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2021 06:11 AM

As @jho-splunk noticed, you put variables as simply key=value pairs, not with a slash, as msiexec parameter.

That's one.

But the other thing that looks strange is those backticks - are they because of you pasting here the command or do you have them in your original command?

EDIT: Oh, and to agree to a license you have to specify Yes/No, not 1/0.

PickleRick_0-1634217229349.png

 

0 Karma
Reply

koe600
Explorer
‎10-14-2021 06:30 AM

@PickleRick: I pasted a "working" version of the script. I see now that i had posted a tweaked version..

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-15-2021 01:26 AM

OK. I tried to run your script. Did you look into the event log?

In my case (I already have older version of UF installed), I get EventID 11730

Product: UniversalForwarder -- Error 1730. You must be an Administrator to remove this application. To remove this application, you can log on as an Administrator, or contact your technical support group for assistance.

If I remove the /quiet switch, indeed the installer starts interactively.

Try adding /L*v some\log\file.txt and review the file after the install starts and terminates.

Reply

Stefanie
Builder
‎10-14-2021 05:48 AM

Is this script too slow to deploy for your organization? I have a powershell script that we use at my organization. I can share it with you if you'd like.

 

0 Karma
Reply

koe600
Explorer
‎10-14-2021 06:32 AM

@Stefanie  Yes please.

 
 
0 Karma
Reply

Stefanie
Builder
‎10-14-2021 06:42 AM 
$Environment = [System.Net.Dns]::GetHostByName(($env:COMPUTERNAME))
Write-Host "This script will only work as admin!" -BackgroundColor Magenta

#Installs the Splunk Forwarder
Start-Process -FilePath C:\Windows\system32\msiexec.exe -ArgumentList "/i splunkforwarder-8.2.0-e053ef3c985f-x64-release.msi AGREETOLICENSE=Yes SERVICESTARTTYPE=auto GENRANDOMPASSWORD=1 /quiet" -Wait -NoNewWindow

#Stop the Splunk Universal Forwarder
Write-Host "Stopping the Splunk Forwarder Service"
Stop-Service -Name SplunkForwarder
Start-Sleep -Seconds 5

#Copy the zzz_config file into the Splunk Program Files
Write-Host "Copying the configuration files"
Copy-Item -Path .\zzz_config_base -Recurse -Destination "C:\Program Files\SplunkUniversalForwarder\etc\apps\"
Start-Sleep -Seconds 5

#Restart the splunk service
Do{
    
    Write-Host "Attempting to restart Splunk Forwarder Service"
    Start-Service -Name SplunkForwarder
    Start-Sleep -Seconds 10

    $Splunk = Get-Service -Name SplunkForwarder 
}until($Splunk.Status -eq "Running")
Write-Host "Splunk Service restarted successfully" -ForegroundColor Green

 

In the folder of my script I have another folder named "zzz_config_base" and in that folder, a "local" folder, and in the local folder is my deploymentclient.conf file which you can create. That conf file has your information to point the forwarder to your Deployment Server.

Reply

koe600
Explorer
‎10-19-2021 12:24 AM

@Stefanie Your script worked well with a few adapations. Thx! 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...