Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to specify an index when deploying the Splunk Universal Forwarder on a Windows domain?

DashZentin
Explorer
‎12-01-2025 05:57 AM

I plan to deploy the Splunk UF across all my Windows client PCs using SCCM. But I'm confused about the index settings. I want to send all the data to a specific index but when the UF installs it just defaults to the main index.

Is there a way to specify the index during installation? As I don't want data going to main before I change it.

Labels (1)
Labels
0 Karma
Reply

Wander
Path Finder
‎12-18-2025 06:51 AM

This is super easy to do, but you'll need to have your apps setup right on the deployment server. There You would create an app that has the index location, and the then the right inputs.conf containing the stanzas to pull the windows info and then what index it should go to. 

How you structure the apps is up to you. The important piece is getting then setup on the deployment server.

The when you install the UF on the windows hosts, use SCCM and only give the msiexec installer command  the address of the deployment server. Don't put in an indexer here. 

When the agent loads, the hosts will check into the deployment server, pull the right apps, provided you've got it set right, and all your data will got where you want it out of the gate and not hit main.

Reply

livehybrid
SplunkTrust
SplunkTrust
‎12-01-2025 06:15 AM

Hi @DashZentin 

You cannot change the index used for the Windows inputs as part of the installation process, however you could run the MSI with 'LAUNCHSPLUNK=0' and then modify the inputs.conf once the package is installed before then starting the Splunk forwarder service to complete the installation.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...