Getting Data In

windows agent msi installation string

sonicZ
Contributor

Our old msi install string does not seem to work for our manual installs with newer splunk 4.3.x agents

we used the following string on older installs, any ideas why this does not work with the automated msi installer?

msiexec.exe /i splunk-4.1.6-89596-x64-release.msi WINEVENTLOGAPPCHECK=1 WINEVENTLOGSECCHECK=1 WINEVENTLOGSYSCHECK=1 WINEVENTLOGFWDCHECK=1 WINEVENTLOGSETCHECK=1 WMICHECK_CPUTIME=1 WMICHECK_LOCALDISK=1 WMICHECK_FREEDISK=1 WMICHECK_MEMORY=1 AUTOSTARTSERVICE_SPLUNKD=1 AUTOSTARTSERVICE_SPLUNKWEB=0  SPLUNK_APP=SplunkLightForwarder FORWARD_SERVER="spfd.shared-bo.ilg1.vrsn.com:9997" LAUNCHSPLUNK=0
Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Are you using the full splunk or the universal forwarder for 4.3.x?

From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.

I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs

msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi 
WINEVENTLOG_APP_ENABLE=1 
WINEVENTLOG_SYS_ENABLE=1 
WINEVENTLOG_SEC_ENABLE=1 
WINEVENTLOG_SET_ENABLE=1 
WINEVENTLOG_FWD_ENABLE=1 
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto    
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997" 
LAUNCHSPLUNK=0

NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

Are you using the full splunk or the universal forwarder for 4.3.x?

From your install string above it looks like you are trying to install a full splunk as a light forwarder. It's probably better to use the universal forwarder in that case.

I believe that the following string would work for a universal forwarder and achieve what you want. For the full list of install flags, see the docs

msiexec.exe /i splunkuniversalforwarder-4.3.x-xxxxxxx-x64-release.msi 
WINEVENTLOG_APP_ENABLE=1 
WINEVENTLOG_SYS_ENABLE=1 
WINEVENTLOG_SEC_ENABLE=1 
WINEVENTLOG_SET_ENABLE=1 
WINEVENTLOG_FWD_ENABLE=1 
PERFMON=cpu, memory, network, diskspace
SERVICESTARTTYPE=auto    
RECEIVING_INDEXER="spfd.shared-bo.ilg1.vrsn.com:9997" 
LAUNCHSPLUNK=0

NOTE, if you are migrating a splunk light forwarder to a universal forwarder, you should read this as well.

Hope this helps,

Kristian

sonicZ
Contributor

Kristian, our IT guys were using older pre-universal forwarder clients for a while. I was looking for the updated strings to use for the universal forwarder. Thanks for the link to the docs didnt catch that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...