Deployment Architecture

None Domain Environment

geelsu
New Member

I have Splunk at work and am new to it so I want to learn as much as I can. I installed it at home on my Windows 7 PC and I installed the Forwarder on another Windows 7 PC. Can I use Splunk in this none-domain environment? I'd like the other PC to forward events so I can learn how to search and interpret both localhost data as well as remote data.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Yes, absolutely. I have several such setups.

On your "main" full install of Splunk, go to Settings and then Forwarding and Receiving. Down in the section Receive data click the Configure receiving and make sure you are listening on 9997 for data. If you don't see that or don't see that port set up, follow the instructions in the first 3 (small and easy) sections in the docs for setting up receiving. I don't have an "unconfigured" Splunk system available to see exactly what it looks like if you don't have receiving set up.

Also make sure you can get to and see data with a search like "index=*" from "http://localhost:8000" on that machine.

Once that's working I would - for the sake of being easy and certain - go to your universal forwarder ("UF") machine and uninstall the SplunkUniversalForwarder. Check C:\Program Files\ afterward for a SplunkUniversalForwarder folder and if you find one, delete it. We're going to reinstall with the setting enabled to forward that machine's logs to your "main" Splunk server, and enable some extra logs while we're at it.

To do so, download the latest UF again for your version of Windows from the Forwarder download page and double-click it to install. This time through the installer follow along the UF install on Windows in the docs with a "Customize Options" install. In the Customize options, you'll want to leave most things at their default - I'll repeat all the pertinent steps from their instructions here:

Download, double-click blah blah we know that part.
Select the Check this box to accept the License Agreement check box and click the Customize Options button at the bottom.
Leave the path the same and click Next
Ignore the SSL settings and click Next
Leave it at local system and click Next
For windows inputs, select all Event Logs ones and all Performance Monitors and click Next
Let it install the included Splunk Add-on for Windows and click Next
Leave the Deployment Server blank and click Next
Change the Receiving Indexer to your main splunk's IP:9997 (like 192.168.0.51:9997) and click Install

Give that a bit to finish, and another few minutes and you should start seeing TWO hosts in your index=* search!

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Yes, absolutely. I have several such setups.

On your "main" full install of Splunk, go to Settings and then Forwarding and Receiving. Down in the section Receive data click the Configure receiving and make sure you are listening on 9997 for data. If you don't see that or don't see that port set up, follow the instructions in the first 3 (small and easy) sections in the docs for setting up receiving. I don't have an "unconfigured" Splunk system available to see exactly what it looks like if you don't have receiving set up.

Also make sure you can get to and see data with a search like "index=*" from "http://localhost:8000" on that machine.

Once that's working I would - for the sake of being easy and certain - go to your universal forwarder ("UF") machine and uninstall the SplunkUniversalForwarder. Check C:\Program Files\ afterward for a SplunkUniversalForwarder folder and if you find one, delete it. We're going to reinstall with the setting enabled to forward that machine's logs to your "main" Splunk server, and enable some extra logs while we're at it.

To do so, download the latest UF again for your version of Windows from the Forwarder download page and double-click it to install. This time through the installer follow along the UF install on Windows in the docs with a "Customize Options" install. In the Customize options, you'll want to leave most things at their default - I'll repeat all the pertinent steps from their instructions here:

Download, double-click blah blah we know that part.
Select the Check this box to accept the License Agreement check box and click the Customize Options button at the bottom.
Leave the path the same and click Next
Ignore the SSL settings and click Next
Leave it at local system and click Next
For windows inputs, select all Event Logs ones and all Performance Monitors and click Next
Let it install the included Splunk Add-on for Windows and click Next
Leave the Deployment Server blank and click Next
Change the Receiving Indexer to your main splunk's IP:9997 (like 192.168.0.51:9997) and click Install

Give that a bit to finish, and another few minutes and you should start seeing TWO hosts in your index=* search!

geelsu
New Member

You know, rich7177, if documentation, man pages, how-to guides, and such were as well written and thorough as what you composed our tech lives would be so much more rewarding and so less complicated. Thank you for such an excellent guide. The only thing I did extra was open port 9997 up on the firewall of my Splunk server. I now have two hosts showing up.

Thank you so much.

0 Karma

Richfez
SplunkTrust
SplunkTrust

You are welcome!

I must admit I pulled most of those steps right out of their own documentation - they even include screenshots.

Though Splunk is an awesome product that does wonderful things, I think what really sets it apart is the quality of the documentation and the community that surrounds it.

Stop back if you have more questions!

0 Karma

piebob
Splunk Employee
Splunk Employee

if rich's answer solved your problem, be sure to "accept" his answer! thanks 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...