For MCS, the biggest challenge is creating unique GUIDs for machines in the catalog under instance.cfg. Follow the procedure mentioned below: 1. Create the master image and install splunk forwarder. 2. Stop the Splunk Forwarder service and mark it as disabled under services.msc. 3. Run the clone-prep-clear-config command as described in following link: Integrate a universal forwarder onto a system image | Splunk Docs 4. Create a scheduled task to run at system startup, under actions point to a powershell script with following content: (Make sure the execution policy for powershell is set correctly so script can run) # Paths $CfgPath = "C:\Program Files\SplunkUniversalForwarder\etc\instance.cfg" # Use hostname as deterministic identity $hostname = $env:COMPUTERNAME.ToUpper() # Generate SHA-256 hash $bytes = [System.Text.Encoding]::UTF8.GetBytes($hostname) $sha256 = [System.Security.Cryptography.SHA256]::Create() $hash = $sha256.ComputeHash($bytes) # Create a proper strongly-typed byte array (16 bytes for GUID) [byte[]]$guidBytes = $hash[0..15] # Cast to byte[] manually to avoid argument expansion $guid = [System.Guid]::new($guidBytes) # Ensure directory exists $folder = Split-Path $CfgPath if (!(Test-Path $folder)) { New-Item -ItemType Directory -Path $folder -Force | Out-Null } # Write instance.cfg $content = "[general]`nguid = $guid" Set-Content -Path $CfgPath -Value $content -Force # Configure the service startup type for Splunk Forwarder service as Automatic and start it Set-Service -Name "SplunkForwarder" -StartupType Automatic Start-Service -Name "SplunkForwarder 4. Shutdown the machine and create snapshot. 5. Create a non-persistent MCS catalog using this snapshot. Each machine will generate a separate GUID and also the GUID will persist over reboots.   ... View more