Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deploy the Splunk Forwarder via Deployment Server

shocko
Contributor
‎01-24-2022 02:41 AM

I'm a a very basic Splunk admin using Splunk Enterprise 8.2.4 with deployment server pushing out our apps/configs to the forwarders. I need to install the agent onto 100 existing Windows 2016/2019 servers. I can easily script up the MSI using MECM or the like but I'm wondering if the Splunk Deployment server can push the agent or if It provides a Powershell script I could hand to my server admins to do same from the target servers? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SinghK
Builder
‎01-24-2022 03:19 AM

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 

View solution in original post

Reply
Solved! Jump to solution
Solution

SinghK
Builder
‎01-24-2022 03:19 AM

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 
Reply
Solved! Jump to solution

shocko
Contributor
‎01-24-2022 04:12 AM

Much appreciated! Any reason you copy the deployment server config file rather than specifying the deployment server name/port in the MSI parameters? Just curious!

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎01-24-2022 04:15 AM

No specific reason. Just my way of doing things.

If you can please upvote this as an answer. Mucho gracias.

Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎01-24-2022 03:14 AM

Hi @shocko 

Currently we can not use Splunk deployment server to install Splunk UF on remote servers,   it can only used as deplyting apps/configs to exisitng UFS 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...