Install and Deploy uberAgent

Installing uberAgent for Splunk is quick and straightforward. Due to the product’s flexibility there is often more than one way of doing things. In such a case we describe the recommended configuration here and link to supported alternatives.


  • Read about the architecture options.
  • If you do not have a running Splunk installation yet set up Splunk.
  • Download uberAgent and extract the archive. You should have a directory uberAgent components with the following content:
    • A subdirectory uberAgent_endpoint
    • Packed Splunk app uberAgent_indexer.tgz
    • Packed Splunk app uberAgent_searchhead.tgz

Preparing the Splunk Server


If you are upgrading from an earlier version of the uberAgent Splunk apps please make sure to follow the upgrade instructions.

Please consult the release notes for possible changes in configuration or functionality.

Manual Installation

  • Go to the Splunk console’s home page by navigating to http://servername:8000 in your browser.
  • Click Manage apps:

  • Click Install app from file:

  • Select uberAgent_indexer.tgz and click Upload
  • The uberAgent indexer app is now installed
  • Install uberAgent_searchhead.tgz in the same way
  • Click Settings -> Server controls -> Restart Splunk

Distributed Splunk Deployment

If you have a distributed Splunk deployment with separate search heads and indexers please deploy the indexer app to all indexers and the search head app to all search heads.

Alternative Architectures

Note: This is optional and not required for the recommended architecture.

If you decided to have uberAgent send data to Splunk through a locally installed Universal Forwarder on the monitored endpoints you need to enable receiving Universal Forwarder data as described here, i.e. through Settings -> Forwarding and receiving -> Receive data -> Add new -> 9997 -> Save.

Sending to Splunk HTTP Event Collector

Note: This is only required when you want uberAgent to send directly to Splunk Cloud, but it can optionally be used with Splunk Enterprise, too.

uberAgent can send the data it collects via HTTP or HTTPS to a Splunk data input called HTTP Event Collector (HEC). Please follow these steps to enable and configure HTTP Event Collector.

Installing uberAgent on the Endpoints

The agent installer is available as an MSI package. The MSI can either be installed manually or unattended through existing software deployment tools or Splunk’s Deployment Server.

Expected result after the installation of the MSI: the service uberAgent is installed and running.

Manual Installation

  • Run the batch file uberAgent_endpoint\bin\manual-install.cmd
  • On the screen Receiver Configuration specify the name(s) of your Splunk indexer(s) and the port configured earlier (default: 19500)

Installation Through a Software Deployment Tool

  • Install the appropriate MSI file from the directory uberAgent_endpoint\bin depending on the bitness of your machine: uberAgent-32.msi or uberAgent-64.msi
  • Specify the following MSI parameters:
      • Required: yes
      • Description: List of target servers/URLs
      • Valid values:
        • TCP input: comma-separated list of server:port, e.g.: localhost:19500, splunksrv:12345
        • HEC input: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
      • Required: no
      • Description: Installation directory
      • Valid values: any local file system path
      • Required: no
      • Description: How to send data to the backend
      • Valid values:
        • TCP uses a direct TCP connection. This is the default.
        • HTTP sends to Splunk HTTP Event Collector via HTTP or HTTPS
      • Required: only when sending to Splunk HTTP Event Collector
      • Description: Application token required by the Splunk HTTP Event Collector
      • Valid values: authentication token created in Splunk
      • Documentation

Citrix Site Monitoring

If some or all of your endpoints are running the Citrix XenApp or XenDesktop VDA you should install uberAgent on the Citrix delivery controller(s), too. Please see this page for details.

Alternative Architectures

Note: This is optional and not required for the recommended architecture.

If you decided to implement one of the alternative architectures you need to install Universal Forwarder on each endpoint.

In order to deploy uberAgent through Splunk’s Deployment Server follow these steps.


uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.

License File

If you have a license file for uberAgent copy it to the installation directory (default: C:\Program Files\vast limits\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.

Imaging / Citrix PVS

If you intend to copy the agent installation via an imaging method or Citrix PVS we recommend you remove instance-specific information. To do that follow these steps right before capturing the image:

  • Stop the service uberAgent (but leave the start type at automatic)
  • Open an administrative command prompt
  • Run the command: reg delete “HKLM\SOFTWARE\vast limits\uberAgent” /f /reg:64
  • Prepare the machine for cloning as necessary, but do not reboot

If you have Splunk Universal Forwarder installed, please follow the steps listed here, too.

Monitoring uberAgent

The operation of the uberAgent service can be monitored by checking the log file. Centralized monitoring is possible through the Splunk app uberAgent Log Collector.

All Done!

You have successfully deployed uberAgent. Now take a look at the dashboards by pointing your browser at http://servername:8000/app/uberAgent.

Have fun!

If you do not see data from some or all endpoints please follow these troubleshooting steps.


Do you have questions that were not answered here? Please ask us, we are happy to help!