I'm running Splunk Universal Forwarder with a Splunk Enterprise deployment. On a new install, all information is populating correctly into the Splunk App for Windows Infrastructure, including the Windows Update history. However, for forwarders that previously had Splunk installed from the last Enterprise installation, this information is not being reported to the indexer. The apps are deploying correctly, and are receiving information, but are missing this tidbit (and maybe a few others, I have not dug in too much yet). What I have done is uninstalled the Unifersal Forwarder 6.6.4 both through the Control Panel and by right clicking on the Installer. However, in both of these circumstances a lot of registry keys mentioning "Splunk" and "UniversalForwarder" are left over. I believe one of these keys is the culprit to my installation problems. Does anyone have a suggestion as how to completely remove Splunk keys from the registry upon uninstalling? ... View more

I had installed the Universal Forwarder 6.5.1 a while back and set it to connect to a deployment server / Splunk instance. All I wanted it to do was be a forwarder. However, upon a Nessus scan of the host, I see that it also has the following server roles: deployment_client and license_master, as well as a web interface running on 8089. Is this a standard thing, or did I do something incorrectly? In add/remove programs it is showing installed as "UniversalForwarder". URL : https://windowshost.mydomain.com:8089/ Version : 6.5.1 License : Enterprise Management API : 1 Server Roles : - deployment_client - license_master - universal_forwarder ... View more