Amir Roknifard
Amir Roknifard is a cyber security professional with years of professional experience and proven track record in cyber security management and risk consulting, helping boards to better manage their cyber risk and transform their cyber security practices. He is the founder of Academician Journal that aims to close the gap between academy and InfoSec industry. He also has authored and reviewed books, published articles, and developed a master's degree program in cyber security.

Install Splunk Universal Forwarder unattended (silent mode)

Here it might seem odd, but some times small things might take a lot of times, specially when you are at the project. One of them that bugged me a lot recently, is to install Splunk Universal Forwarder unattended.

Here is the command to install 64-bit version:

msiexec.exe /I splunkforwarder.[version].[make]-x64-release.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="IP_ADDRESS:PORT_NUMBER" LUNCHSPLUNK=1 SERVICESTARTTYPE=auto /quiet

But the catch is, you should run your power shell command line instance as an administrator, if you UAC is enabled. To do this, when opening a new cmd prompt or power shell instance, right click and select “Run As Administrator”.

I have prepared a script which would automatize the installation process for you within your parent script:

function Install-SplunkForwarder {

$arguments = @(

Write-Verbose "Installing package..."
$process = Start-process -FilePath c:\splunkforwarder-[version]-[make]-x64-release.msi -ArgumentList $arguments -Wait -Passthru
if ($process.ExitCode -eq 0){
   Write-Verbose "Successfully installed"
} else {
   Write-Verbose "Installer exit code $($process.ExitCode)"

You may skip the LOGON_USERNAME and LOGON_PASSWORD if you intent to run the SplunkForwarder Service with a SYSTEM account.