This page describes how to install uberAgent in through Splunk’s Deployment Server (see architecture options).
Install Universal Forwarder as described here. Make sure to specify the Deployment Server name during Universal Forwarder installation.
Note: Deployment server can only be used with Splunk Enterprise.
Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME\etc\deployment-apps on your deployment server.
Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically C:\Program Files\Splunk.
Edit $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin\silent-install.cmd, modifying the servers variable so that it contains a list of your Splunk servers. Example:
If you have a license file for uberAgent copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.
Create a file called serverclass.conf in $SPLUNK_HOME\etc\system\local on your deployment server. Serverclass.conf defines what to deploy where. For a quick start paste the following content into Serverclass.conf to deploy uberAgent to all Windows machines. You may want to fine-tune this to suit your needs.
# [global] # We cannot match by machine type here. We'll do that on the app level below. whitelist.0 = * # Define a serverclass [serverClass:windows] # Deploy only to Windows machines machineTypesFilter = windows-* # Define which apps to deploy to the serverclass [serverClass:windows:app:uberAgent_endpoint] stateOnClient = enabled restartSplunkd = true
To make Splunk read the new file serverclass.conf run the following command:
$SPLUNK_HOME\splunk.exe reload deploy-server
Do you have questions that were not answered here? Please ask us, we are happy to help!