All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best Practice for Splunk Stream Install Location

mikefg
Communicator
‎07-21-2022 10:03 AM

Working on a fresh install of Stream into an on-prem distributed environment with a small number of endpoints. I'm not sure where to install and operate Stream from and I've seen differing instructions from 2019-present.

Is the current best practice to install and operate Stream from a standalone server or install and run from the deployment server?

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎07-22-2022 02:29 PM

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-21-2022 12:04 PM

Hi @mikefg ... As per the documentation at https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/InstallSplunkAppforStreaminadi...

Install Splunk App for Stream on search heads

  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Go to the command line and untar the installation file to SPLUNK_HOME/etc/apps/.
  5. Restart Splunk Enterprise, if prompted. This installs the Splunk App for Stream (Splunk_app_stream) in $SPLUNK_HOME/etc/apps.

may i know if this resolves your query, if not please let us know some more details about query, thanks. 

0 Karma
Reply
Solved! Jump to solution

mikefg
Communicator
‎07-21-2022 12:15 PM

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.

Per the below article they use a separate server, but I'm not sure where that break point is between separate server and just using a deployment server. I'm leaning toward using a separate server, but the article I'm linking to is from 2019, so I don't know if it's still the recommended way to do it.


https://www.splunk.com/en_us/blog/tips-and-tricks/installing-and-managing-splunk-stream-in-a-distrib...

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎07-22-2022 02:29 PM

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

0 Karma
Reply
Solved! Jump to solution

mikefg
Communicator
‎07-25-2022 07:22 AM

Thank you, this helps. Just wanted to make sure there wasn't any newer recommended way to setup Stream. I'll proceed with a standalone server.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...