Deploying Splunk Light Forwarders

From Splunk Wiki

Jump to: navigation, search

Installation and Deployment of Splunk and Universal Light Forwarders


This document describes how to perform base installation of a Light or Universal Forwarder agent that is managed by the Splunk Deployment Server. As such, the base installation will contain no specialized configuration other than the location of the Splunk Deployment Server. Further configuration of the Light Forwarder will be performed via the Splunk Deployment Server and is out of the scope of this document. It is intended that the instructions for a single instance can be generalized or scripted to run over many Splunk Forwarder hosts using deployment management or scripting. As much as possible, there are no server-specific steps involved in the installation, so a mass deployment can be performed by executing identical installation steps on each host. Access control, security, authentication, and other similar requirement for installing Light Forwarders must be addressed by the deployment management or scripting process, and are not addressed by these instructions. A key complement to this document is a package of Light Forwarder configuration files that provides the minimal non-specialized configuration. This document is incomplete without a valid Light Forwarder configuration file package, as it encapsulates and includes many basic operations that would otherwise need to be performed in addition to the described steps. The high-level steps for all platforms are:

  1. Unpack/install the base Splunk files
  2. Unpack the Light or Universal Forwarder configuration files as necessary
  3. Set Splunk to run at system boot if necessary
  4. Start Splunk for the first time

Environment-specific adjustments

It is intended that all scripts, processes, and other installation steps should be independent of the environment in which Splunk is run. Differences in Splunk environment are intended to be addressed entirely by modifications to the Light Forwarder configuration files. This package is a key complement to this document, and is required for any of these instructions to work correctly. Most of these will not need to be changed, other than:

  • splunk/etc/deploymentclient/local/deploymentclient.conf

This should be edited to indicate the correct host or IP and port of the Splunk Deployment Server. Note that other deployment client settings (such as phoneHomeIntervalInSecs) should not be set or edited here, but instead pushed out from the Deployment Server via a different app. (The recommended name for this app is “deploymentclient-settings”, and it is intentionally not otherwise addressed by this document or the Light Forwarder configuration package.)

  • splunk/etc/forwarder_base/local/web.conf

This should be edited if necessary to ensure that a default Splunkd management TCP port is set such that there is no possibility of TCP port conflict on any forwarder host. Note that the default base Splunkd port, 8089, is used by default by WebLogic Server for its management port, but in most environments the default Splunkd port is unlikely to be otherwise occupied.

Unix and Linux

Assuming that Splunk is to be installed to “/opt/splunk” and that it is to run as a user named “splunkuser”, then running the following script steps as the account “splunkuser” will install and start the forwarder:

  1. tar -C /opt -xvf splunk-4.1.5-85165-Linux-x86_64.tgz
  2. tar -C /opt/splunk -xvf splunk-forwarder-package.tgz
  3. sudo /opt/splunk/bin/splunk enable boot-start -user splunkuser --accept-license --answer-yes --no-prompt
  4. /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt

If “sudo” is not available, other means to execute the relevant step as root will be required to enable the forwarder to run at system startup. If other means of ensuring the startup of the Splunk service as used, this step should be omitted or appropriately modified.

Microsoft Windows

A Windows CMD script is provided to perform the installation. The script should be edited to use the correct Splunk version MSI installation package paths. The CMD script, the Splunk base MSI packages, and the unpacked Light Forwarder configuration file directory should reside in the same directory, and the CMD file should be run from that path. Please refer to if additional background information is desired.


Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk