https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644389#M16408 <P>I'll try to add a little more detail here when I get a chance:</P><UL><LI>add to appropriate Deployment Server Class(es) &amp; deploy appropriate apps<UL><LI>enable (SH, HF, DS) or disable (indexers) the WebUI</LI><LI>enable cooked Splunk port 9997 inputs on the indexers</LI><LI>forward _* internal logs to the indexers</LI><LI>define indexes</LI><LI>enable SSL<UL><LI>WebUI, 8089 mgmt, 9997 cooked input</LI></UL></LI></UL></LI></UL> Wed, 24 May 2023 04:02:58 GMT marycordova 2023-05-24T04:02:58Z https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644379#M16404 <P>Is there a basic cheatsheet for setting up a new small scale distributed deployment?</P> Wed, 24 May 2023 03:00:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644379#M16404 marycordova 2023-05-24T03:00:53Z https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644383#M16405 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/159620">@marycordova</a>&nbsp;...&nbsp;</P><P>As per my knowledge there are no cheetsheet kind of documents..&nbsp;</P><P>but the Splunk documentation is very detailed and it will give us all the info required.&nbsp;</P><P>Please install SH, indexers, as per this document:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/InstallonLinux" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/InstallonLinux</A></P><P>&nbsp;</P><P>then you can configure the indexer cluster and search head cluster as per this document:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/Deploy/SHCwithindexers" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.4/Deploy/SHCwithindexers</A></P><P>&nbsp;</P><P>hope this helps.. thanks.&nbsp;</P><P>&nbsp;</P> Wed, 24 May 2023 03:36:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644383#M16405 inventsekar 2023-05-24T03:36:33Z https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644384#M16406 <UL><LI>Here are the basic steps for setting up a new deployment.&nbsp;</LI><LI>Build your Deployment Server first through step 8.&nbsp; You can use the WebUI on the Deployment server to upload your license file.&nbsp;</LI><LI>Build your indexers, heavy forwarders, &amp; search head with the same steps adding items 9-13.&nbsp;</LI><LI>Be sure you also configure your Deployment server with your indexes, SSL, and forward the internal logs to your indexers.&nbsp;</LI><LI>These steps were done on Ubuntu so commands may vary slightly on other *nix flavors.&nbsp; You may have other ways (systemd) to do some of the *nix admin such as the limits and THP.</LI></UL><P>&nbsp;</P><UL><LI>login via cli &amp; elevate to root</LI><LI>increase system limits</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">vi /etc/security/limits.conf * hard nofile 64000 * hard nproc 16000 * hard fsize -1</LI-CODE><P>&nbsp;</P><UL><LI>disable THP<UL><LI><A href="https://www.mongodb.com/docs/manual/tutorial/transparent-huge-pages/" target="_blank" rel="noopener">https://www.mongodb.com/docs/manual/tutorial/transparent-huge-pages/</A>&nbsp;System V Init (service)</LI></UL></LI></UL><P>&nbsp;</P><LI-CODE lang="markup">vi /etc/init.d/disable-transparent-hugepages #!/bin/bash ### BEGIN INIT INFO # Provides: disable-transparent-hugepages # Required-Start: $local_fs # Required-Stop: # X-Start-Before: splunk # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Disable Linux transparent huge pages ### END INIT INFO echo 'never' | tee /sys/kernel/mm/transparent_hugepage/enabled &gt; /dev/null echo 'never' | tee /sys/kernel/mm/transparent_hugepage/defrag &gt; /dev/null chmod 755 /etc/init.d/disable-transparent-hugepages /etc/init.d/disable-transparent-hugepages start update-rc.d disable-transparent-hugepages defaults</LI-CODE><P>&nbsp;</P><UL><LI>reboot, login, &amp; elevate to root</LI><LI>create the splunk user</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">useradd -m splunk</LI-CODE><P>&nbsp;</P><UL><LI>install splunk &amp; configure to run as non-root "splunk" user at system boot</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">cd /opt wget -O splunk-9.0.4.1-419ad9369127-Linux-x86_64.tgz "https://download.splunk.com/products/splunk/releases/9.0.4.1/linux/splunk-9.0.4.1-419ad9369127-Linux-x86_64.tgz" tar zxfv splunk-9.0.4.1-419ad9369127-Linux-x86_64.tgz chown -R splunk:splunk /opt/splunk /opt/splunk/bin/splunk enable boot-start -user splunk</LI-CODE><P>&nbsp;</P><UL><LI>reboot, login, &amp; elevate t root</LI><LI>verify configs<UL><LI><A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTREF/RESTintrospect" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTREF/RESTintrospect</A></LI></UL></LI></UL><P>&nbsp;</P><LI-CODE lang="markup">ulimit -a cat /sys/kernel/mm/transparent_hugepage/enabled cat /sys/kernel/mm/transparent_hugepage/defrag ps -ef | grep splunk</LI-CODE><P>&nbsp;</P><UL><LI>switch to splunk user</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">su - splunk</LI-CODE><P>&nbsp;</P><UL><LI>add deploymentclient.conf</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">vi /opt/splunk/etc/system/local/deploymentclient.conf [deployment-client] [target-broker:deploymentServer] targetUri = https://deploymentserver.yourdomain.com:8089</LI-CODE><P>&nbsp;</P><UL><LI>add the Splunk license, restart Splunk, &amp; check licensing</LI></UL><P>&nbsp;</P><LI-CODE lang="markup">/opt/splunk/bin/splunk edit licenser-localpeer -manager_uri 'https://deploymentserver.yourdomain.com:8089' /opt/splunk/bin/splunk restart /opt/splunk/bin/splunk list licenser-localpeer</LI-CODE><P>&nbsp;</P><UL><LI>add to appropriate Deployment Server Class(es) &amp; deploy appropriate apps<UL><LI>enable (SH, HF, DS) or disable (indexers) the WebUI</LI><LI>enable cooked Splunk port 9997 inputs on the indexers</LI><LI>forward _* internal logs to the indexers</LI><LI>define indexes</LI><LI>enable SSL<UL><LI>WebUI, 8089 mgmt, 9997 cooked input</LI></UL></LI></UL></LI><LI>enable email (SMTP) for SearchHead only via the SH WebUI&nbsp;</LI></UL> Wed, 24 May 2023 03:59:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644384#M16406 marycordova 2023-05-24T03:59:46Z https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644389#M16408 <P>I'll try to add a little more detail here when I get a chance:</P><UL><LI>add to appropriate Deployment Server Class(es) &amp; deploy appropriate apps<UL><LI>enable (SH, HF, DS) or disable (indexers) the WebUI</LI><LI>enable cooked Splunk port 9997 inputs on the indexers</LI><LI>forward _* internal logs to the indexers</LI><LI>define indexes</LI><LI>enable SSL<UL><LI>WebUI, 8089 mgmt, 9997 cooked input</LI></UL></LI></UL></LI></UL> Wed, 24 May 2023 04:02:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Basic-Distributed-Deployment-Install-Setup-Steps/m-p/644389#M16408 marycordova 2023-05-24T04:02:58Z