Author: Ryan Faircloth
Summary: Rapid deployment of the universal forwarder in a production environment is possible with a minimal amount of risk for the customer. The installation of a universal forwarder can be performed at any time without impact to the production system and without reboot. A small caution is required in that if an existing MSI installation has created on reboot actions the installation of the Splunk universal forwarder or any other MSI may trigger a reboot by the SCCM client.
[TOC]
Overview
This guide will deploy the universal forwarder to all servers with a supported version of the Microsoft Windows Server operating system.
- Create a new folder to contain Splunk related collections
- Create one or more collection containing all systems which should receive the universal forwarder.
- Create a collection containing all systems where any version of the universal forwarder -has been deployed
- Create an application definition to deploy the universal forwarder without configuration
- Create an application definition to deploy an upgrade to the universal forwarder without configuration
- Create a package containing a powershell script to configure the universal forwarder
- Deploy the configuration script using a task sequence
Prerequisite Steps
Task |
Responsible |
Create CNAME for Deployment Server |
DNS Admin |
Install Splunk Enterprise on Server |
Splunk Admin |
Configure Splunk Instance as Deployment Server |
Splunk Admin |
Step by Step
Create the deployment collection folder
- Navigate to Device Collections
- Right click
-
Create new folder
-
Name the new folder “Splunk Universal Forwarders”
-
Navigate to the new folder
Create a collection for deployment
- Right click and choose "“Create New Device Collection”
- Name the collection “Splunk Deployment Collection for Servers”
- Select “All Desktop and Server Clients” as the limiting collection

- Click Next
- Click Add to define the criteria used to determine which devices will receive the Universal Forwarder
- Click Query
- Name the Query “Server OS”
- Click Edit
- Click Show query language
- Enter the following query:
sql
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System
inner join
SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId
where
SMS_G_System_OPERATING_SYSTEM.ProductType = 2
or SMS_G_System_OPERATING_SYSTEM.ProductType = 3
- Click OK
- Click OK again
- Enable Incremental Update by checking the box
- Click Next
- Click Next
- Click Close
> Note: the collection will contain zero members until the update collection background task completes
Create a collection of all successfully deployed universal forwarders
- Right click and choose “Create New Device Collection”
-
Name the collection “Splunk Deployment Collection for Deployed Forwarders”
-
Select “All Desktop and Server Clients” as the limiting collection
-
Click Next
-
Click Add to define the criteria used to determine which devices will receive the Universal Forwarder
-
Click Query
-
Name the Query “Server OS”
-
Click Edit
-
Click Show query language
-
Enter the following query: 
sql
Select
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
from SMS_R_System
inner join
SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId
inner join
SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceID = SMS_R_System.ResourceId
inner join
SMS_G_System_ADD_REMOVE_PROGRAMS_64 on
SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId
where
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "UniversalForwarder"
and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "UniversalForwarder"
or SMS_G_System_INSTALLED_SOFTWARE.ProductName = "UniversalForwarder"
order by SMS_R_System.Name
-
Click OK
-
Click OK again
-
Enable Incremental Update by checking the box
-
Click Next
-
Click Next
-
Click Close
Note: the collection will contain zero members until the update collection background task completes
Create Application Definitions
Download both the 32bit and 64bit versions of the Splunk Universal Forwarder into the source folder structure used for SCCM deployment applications. Do this for all versions currently deployed as well as the new version to be deployed.
In general the locations are similar to the path:
\\servername\source\vendor\product\version\bitness
\\servername\source\Splunk\UniversalForwarder\6.2.3\x86
Create the application definition for the oldest deployed version of the Univeral Forwarder first.
- Navigate to Applications in the Software Library screen
- Right click and create a new folder for Splunk definitions
- Right click on the new folder and choose Create New Application
- Locate the 64 bit MSI for this product version

- Click Next
- Click Next again
- Update the definition with the following information
- Name (Include version Number and bitness Version number i.e. Universal Forwarder 6.2.3 (x64)
- Publisher
- Version
- Update the command line by removing “/q” and appending “/quiet AGREETOLICENSE=Yes”
Note it is very important that /q is replaced by /quiet
- Click Next
- Click Next
- Click Close
- Right click on the new application definition and click properties
- Select the deployment type tab
- Select the first deployment and click edit
- Select the program tab
- update the uninstall command replacing /q with /quiet
- select the third browse next to product code and select the MSI
- Click requirements
- Click add
- Select category = device condition = operating system and provide the supported 64bit operating systems

- Create and additional requirements appropriate for your environment such as memory and disk space free
- Click OK
- Click OK again
- Add a new deployment type define the 32 bit MSI type using the information above
- Edit the new type using the information above to set the product MSI and verify requirements
- Select the supersedence tab
- click add
- Click Browse and select the oldest prior version of the application deployed to replace
- Map old deployment type to new ensuring the types match

- Click OK
- Add any other replacements required
- Verify your work and click OK
Repeat the application creation process for all versions of the UF in production If you are upgrading monitor your deployment progress You may continue with this procedure while the Universal Forwarder application is deployed.
Create a Configuration Script
- Create a source folder to contain the configuration script for example \\servername\source\splunk\scripts\UF_Config_V1
- The following script can be used as a template for the appropriate configuration for your site. At minimum the deployment server FQDN must be customized. Name the script configure.ps1
#Splunk Configuration Script for SCCM Task Sequence
#Locate Splunk based on the MSI registration
function Get-IniContent ($filePath)
{
$ini = @{}
$section="GLOBAL"
$CommentCount=0
switch -regex -file $FilePath
{
"^\[(.+)\]" # Section
{
$section = $matches[1]
$ini[$section] = @{}
$CommentCount = 0
}
"^(\#.*)$" # Comment
{
$value = $matches[1]
$CommentCount = $CommentCount + 1
$name = "Comment" + $CommentCount
#$ini[$section][$name] = $value
}
"(.+?)\s*=(.*)" # Key
{
$name,$value = $matches[1..2]
$ini[$section][$name] = $value
}
}
return $ini
}
$location ="C:\Program Files\SplunkUniversalForwarder\"
#note if splunk may not be installed at the default location uncomment the following lines
#$list = Get-WmiOBject -Class Win32_Product | Where-Object {
# $_.Name -eq 'UniversalForwarder' -or $_.Name -eq 'Splunk' }
#$splunkprod = $list | where-Object { $_.InstallLocation }
#$location = $splunkprod.InstallLocation
$scriptappver = 2
$splunkcmd = $location + "bin\splunk.exe"
$staticapp = $location + "etc\apps\_static_all_universalforwarder\"
$staticdefault = $staticapp + "default\"
$staticlocal = $staticapp + "local\"
$staticdefault_dc = $staticdefault + "deploymentclient.conf"
$staticlocal_dc = $staticlocal + "deploymentclient.conf"
$staticdefault_app = $staticdefault + "app.conf"
if (!(Test-Path -Path $staticapp)) {new-item -ItemType Directory -Path $staticapp}
if (!(Test-Path -Path $staticdefault)) {new-item -ItemType Directory -Path $staticdefault}
if (!(Test-Path -Path $staticlocal)) {new-item -ItemType Directory -Path $staticlocal}
if (!(Test-Path -Path $staticdefault_app))
{
new-item -path $staticdefault_app -ItemType File
Add-Content -Path $staticdefault_app -Value "#Generated by scripting"
#Add-Content -Path $staticdefault_app -Value "`r`n"
Add-Content -Path $staticdefault_app -Value "[_static_all_universalforwarder]"
Add-Content -Path $staticdefault_app -Value "author=Ryan Faircloth"
Add-Content -Path $staticdefault_app -Value "description=Script Generated UF default configuration applied by SCCM"
Add-Content -Path $staticdefault_app -Value "version=1"
Add-Content -Path $staticdefault_app -Value "[ui]"
Add-Content -Path $staticdefault_app -Value "is_visible = false"
}
$appconf = Get-IniContent $staticdefault_app
$appver = $appconf[“_static_all_universalforwarder”][“version”]
if ($appver -ne $scriptappver)
{
if (!(Test-Path -Path $staticdefault_dc))
{
new-item -path $staticdefault_dc -ItemType File
Add-Content -Path $staticdefault_dc -Value "#Generated by scripting"
Add-Content -Path $staticdefault_dc -Value "[deployment-client]"
Add-Content -Path $staticdefault_dc -Value "clientName=ScriptDeployed|"
Add-Content -Path $staticdefault_dc -Value "[target-broker:deploymentServer]"
Add-Content -Path $staticdefault_dc -Value "targetUri=srvsplunk.ad.domainname.com:8089"
Add-Content -Path $staticdefault_dc -Value ""
}
& $splunkcmd "restart"
}
Create a Package to contain the configuration script
- Create a new package folder Splunk
- Create a new folder on a network share Splunk_config_vx where X is the version of the script and include a customized version of the config script provided
- Right click on the package folder create package
- Name the package Splunk Configuration Script v1
- Select the source folder

- Click Next
- Click do not create a program
- Click next
- Click next
- Click Close
- Right click on the package and click “Distribute Content” using appropriate options for the environment. Do not click deploy
- Create the Task Sequence
- Crea a new Task Sequence Folder “Splunk”
- Right click the Task Sequence Folder Create Task Sequence
- Name the task Splunk Config Vx
- Click Next
- Click Next
- Click Close
- Right click on the task sequence
- Click properties
- Click the advance tab
- Select suppress task sequence notifications and disable this task sequence on computers where it is deployed
- Right click on the task sequence and choose edit
- Click Add General —> powershell script
- Set the script name i.e. configure.ps1 and execution policy=bypass
- Click OK
- Right click on the task and deploy to the deployed collection created second above
Create the configuration task sequence
- Navigate to Software Library
- Navigate to Operating System Deployment
- Navigate to Task Sequence
- Optional Create a new folder called Splunk
- Right click and Create a new task sequence
- Select Custom Sequence

- Click Next
- Name the sequence i.e. Splunk Configuration Script Vx
- Click Next
- Click Next
- Click Close
- Right click on the task sequence
- Click properties
- Click the advanced tab
- Select suppress task sequence notifications
- disable this task sequence on computers where it is deployed

- Click Ok
- Right click on the task sequence and choose edit
- Click Add General —> powershell script
- Set the script name and execution policy=bypass

- Click OK
- Right click on the task and deploy to the deployed collection created second above
Like this:
Like Loading...