Installing Splunk Forwarder on Windows seems to be very easy, thanks to the user friendly installation wizard. But after installation, there are several issues including a bug, which prevents a smooth experience of this report indexer.
I recommend to use “Customize Options” during the installation so you can specify the deployment server and other configuration parameters, as with default installation or unattended installation, the outputs.conf is not created automatically and therefore you need to create it manually.
The bug is existing in version 6.4.0 x64 bit architecture, while everything seems in order, but there is no log on the Splunk Server recorded. This bug can be solved by adding “wineventlog;” to “srchIndexDefault” under “[role_admin]” section in “authorize.conf” file from the path “$splunk_installation_path/etc/system/local/”.
It is worth mentioning that the said “authorize.conf” file does not exist by default on the above mentioned path, and first, it should be copied from “$splunk_installation_path/etc/system/default/” and then be modified.
There is also another file “indexes.conf” required, which is not created during the installation and shall be created and configured manually. The content of this file shall be as below:
[default] homePath = $SPLUNK_DB/winevents/db coldPath = $SPLUNK_DB/winevents/colddb thawedPath = $SPLUNK_DB/winevents/thaweddb maxDataSize = 10000 maxHotBuckets = 10
The term “index = default” shall be added to “inputs.conf” and “outputs.conf” files from the path “$splunk_installation_path/etc/system/local/” under “[default]” section.
