How can I install Splunk universal forwarder on Windows?

Prerequisites to installation



Create a firewall rule to allow tcp and upd traffic over ports 9997 to ( and 8089 (



Confirm that you can reach the splunk servers by attempting to telnet to each server on its respective port.
Create a service account for splunk. We recommend the username to be "splunk."

Splunk installations require a password for the splunk service which should be different than the splunk user service account password.

Download the Windows MSI Splunk installer from

Command line instructions

Installation via command line is long, but straightforward.
WINEVENTLOG_FWD_ENABLE=0 WINEVENTLOG_SET_ENABLE=0 SPLUNKPASSWORD=password /l*v c:\windows\temp\splunkUF.log /quiet
Please modify the above to use your own password.
NOTE:  The password you use isn't for an account that exists in AD and doesn't need to exist for an account that's local to the machine.  However, you may require this password to complete certain actions with Splunk so be sure to remember it.

Manual instructions

Right-click on the installation file and choose Install.
1. Click on "Check this box to accept the License Agreement", then click Next.
splunk universal forwarder screen  
2. Enter in a password for the application and press Next.
splunk password screen
3. Enter in "" for Hostname and "8089" for the port. Select Next.
         splunk receiving Indexer screen  
4. No input required on this screen. Select Next.
splunk deployment server screen  
5. No input required. Select Install.
6. Visual feedback is shown as the program installs.
7. Several informational buttons are presented. Select Finish to complete the install.


Article ID: 876
Fri 1/15/21 6:12 PM
Wed 6/9/21 3:28 PM