Splunk Enterprise

Deploy the Splunk Forwarder via Deployment Server

shocko
Contributor

I'm a a very basic Splunk admin using Splunk Enterprise 8.2.4 with deployment server pushing out our apps/configs to the forwarders. I need to install the agent onto 100 existing Windows 2016/2019 servers. I can easily script up the MSI using MECM or the like but I'm wondering if the Splunk Deployment server can push the agent or if It provides a Powershell script I could hand to my server admins to do same from the target servers? 

Labels (1)
0 Karma
1 Solution

SinghK
Builder

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 

View solution in original post

SinghK
Builder

Deployment server can only push config to forwarders.

use this powershell script

$errorfile = "D:\Splunk\SplunkForwarderInstall.log" # change path accordingly and update here this will be needed for any issues with installation.
Start-Transcript -Path $errorfile - NoClobber
$csvpath = "D:\Splunk\servers.csv"
$files = Import-Csv -path $csvpath |select -ExpandProperty Name
Write-host "Starting to copy SplunkForwarder installer on $file" -ForegroundColor Green
foreach($file in $files){
    #defining destination and source directory
    $sourcePath = "D:\Splunk<or directory path>"
    $destPath = "\\$file\<directory path>"
    #creating folder
    New-Item -path $destPath -ItemType directory -Force
    #copying
    Copy-Item -Recurse -Path $sourcePath -Destination $destPath -Force
    #running setup for SF
    Write-Host "Copying installer on $file complete" -ForegroundColor Green
    Write-Host "Starting installation on $file" -ForegroundColor Green
    Invoke-Command -ComputerName $file -ScriptBlock { & cmd /c msiexec /i "<location of splunkforwadr.msi>" AGREETOLICENSE=Yes /quiet}
    Write-Host "Installation complete on $file" -ForegroundColor Green
    Write-Host "Validating install by checking if service is running. Please check the output <path to output directory D:\Splunk_install\.....blah blah>"
    $Running = Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction SilentlyContinue
    $name="SplunkForwarder"
    if($Running.Status -eq "Running"){
        Write-host "SplunkForwarder service will be stopped for $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file|Set-Service -Status Stopped
        Write-host "SplunkForwarder service has been stopped on $file" -ForegroundColor Green
        Write-host "Copying deploymentclient.conf to $file" -ForegroundColor Green
        $Dest = "\\$file\c$\Program Files\SplunkUniversalForwarder\etc\system\local"
        $Source = "D:\Splunk\deployemntclient.conf" # Source directory can be any directory update the path here accordingly
        Copy-Item -Recurse -Path $Source -Destination $Dest -Force
        Write-Host "Starting SplunkForwarder service on $file" -ForegroundColor Green
        Get-Service -Name $name -ComputerName $file |Set-Service -Status Running
        Write-Host "SplunkForwarder service has been started on $file" -ForegroundColor Green
    }

}
Stop-transcript
 
try and make changes where needed. like paths etc.
what this basically does is installs forwarders and copies deploymentclient config and restarts  splunkforwarder service and it captures logs as well so you can see errors. 

shocko
Contributor

Much appreciated! Any reason you copy the deployment server config file rather than specifying the deployment server name/port in the MSI parameters? Just curious!

0 Karma

SinghK
Builder

No specific reason. Just my way of doing things.

If you can please upvote this as an answer. Mucho gracias.

SanjayReddy
SplunkTrust
SplunkTrust

Hi @shocko 

Currently we can not use Splunk deployment server to install Splunk UF on remote servers,   it can only used as deplyting apps/configs to exisitng UFS 

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...