• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Install Splunk
    • Start Splunk
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Install Splunk for lightweight forwarding
  • Install a forward-only Splunk instance on Windows
    • Overview:
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Install a forward-only Splunk instance on Windows

This procedure explains how to install a Splunk forwarder on Windows.

What you need:

• Forwarder license
• Admin Level access to Server being configured
• Network share to house install files

Before you start:

• Create a network share (\\sharingserver\splunk).
• Place the Splunk MSI file into that share.
• Place a copy of your forwarder license file there as well (name it splunk.license).

Overview:

Rather than having to manually configure this all via the GUI, this process limits the GUI interaction to only the installation of the Splunk MSI file. The following commands can be executed via the CMD shell.
Note: Substitute the exact filename of the Splunk MSI file that you are using for <splunk version>.

"\\sharingserver\splunk\<splunk version>.msi"

This starts the installation of the server.
Click through the screens as described in the installation documentation and choose the appropriate options for your installation. At the end of the install, allow splunkd to start but don't start Splunk Web.

Next, copy the license file and restart splunkd:

copy "\\sharingserver\splunk\splunk.license" "c:\program files\splunk\etc\splunk.license"
"c:\program files\splunk\bin\splunk.exe" restart splunkd

At this point, Splunk will behave like a licensed version and that means that the admin password will have changed.
Change the password to something else. This procedure uses "somethingsensible" throughout the rest of the commands.

This resets the password to 'somethingsensible':

"c:\program files\splunk\bin\splunk.exe" edit user admin -password somethingsensible -auth admin:changeme

This adds a forward-server called 'splunk.yourcompany.com' that listens on port 9997:

"c:\program files\splunk\bin\splunk.exe" add forward-server splunk.yourcompany.com:9997 -auth admin:somethingsensible

This sets the server you're configuring to be a forward only server:

"c:\program files\splunk\bin\splunk.exe" set server-type forwarder -auth admin:somethingsensible

This disables the Splunk Web server:

"c:\program files\splunk\bin\splunk.exe" disable webserver -auth admin:somethingsensible

This restarts splunkd:

"c:\program files\splunk\bin\splunk.exe" restart splunkd -auth admin:somethingsensible