Getting Data In

How to distribute splunk.secret to Windows Heavy Forwarders

mas
Path Finder

Hello guys,

We are going to install two Heavy Forwarders on Windows 2012 R2 servers. The remaining instances of Splunk, which build up our distributed architecture, are running on SLES.

As usual, according to best practices, I was trying to distribute our "master" splunk.secret file to new Heavy Forwarders hosted on Windows servers.

I tried to install Splunk using the following command line:

msiexec.exe /i splunk-<...>-x64-release.msi AGREETOLICENSE=Yes WEB_PORT= DEPLOYMENT_SERVER="" LAUNCHSPLUNK=0 INSTALL_SHORTCUT=0

As expected the "splunkd" service did not start when installation finished, but unluckily a new splunk.secret was automatically created and contents where encrypted using it.

So I tried an interactive installation with only the "LAUNCHSPLUNK=0" flag and I monitored the file system: I noticed that the splunk.secret and the encrypted files are created at the same exact time, before the service is started.

QUESTION: is it possible to install Splunk on Windows without the creation of a new splunk.secret and the subsequent encryption of data with it, in the same way it is possible in Linux?

Thank you!

0 Karma
1 Solution

cmutt78
Explorer

I got it to work but took a little digging. My command was:

msiexec.exe /i splunk-6.5.1-f74036626f0c-x64-release.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="server:8089" LAUNCHSPLUNK=0 INSTALL_SHORTCUT=0 INSTALLDIR="D:\Program Files\Splunk"

When the install completed, Splunk was not started but as you mention there was a splunk.secret that encrypted a single entry for sslPassword in the server.conf. I sync'd that entry with the system where my splunk.secret came from and I now have it working.

Hope this helps.

View solution in original post

mas
Path Finder

Thank you cmutt78, your solution is working.

By the way: there is some additional, useful information at this link: https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine (this is specific for multiple Splunk instances on the same box).

0 Karma

cmutt78
Explorer

I got it to work but took a little digging. My command was:

msiexec.exe /i splunk-6.5.1-f74036626f0c-x64-release.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="server:8089" LAUNCHSPLUNK=0 INSTALL_SHORTCUT=0 INSTALLDIR="D:\Program Files\Splunk"

When the install completed, Splunk was not started but as you mention there was a splunk.secret that encrypted a single entry for sslPassword in the server.conf. I sync'd that entry with the system where my splunk.secret came from and I now have it working.

Hope this helps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...