All Apps and Add-ons

Best Practice for Splunk Stream Install Location

mikefg
Communicator

Working on a fresh install of Stream into an on-prem distributed environment with a small number of endpoints. I'm not sure where to install and operate Stream from and I've seen differing instructions from 2019-present.

Is the current best practice to install and operate Stream from a standalone server or install and run from the deployment server?

Labels (1)
1 Solution

inventsekar
Ultra Champion

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

View solution in original post

0 Karma

inventsekar
Ultra Champion

Hi @mikefg ... As per the documentation at https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/InstallSplunkAppforStreaminadi...

Install Splunk App for Stream on search heads

  1. Click Download. The installation package downloads to your local host.
  2. Log into Splunk Web.
  3. Go to the command line and untar the installation file to SPLUNK_HOME/etc/apps/.
  4. Restart Splunk Enterprise, if prompted. This installs the Splunk App for Stream (Splunk_app_stream) in $SPLUNK_HOME/etc/apps.

may i know if this resolves your query, if not please let us know some more details about query, thanks. 

0 Karma

mikefg
Communicator

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.

Per the below article they use a separate server, but I'm not sure where that break point is between separate server and just using a deployment server. I'm leaning toward using a separate server, but the article I'm linking to is from 2019, so I don't know if it's still the recommended way to do it.


https://www.splunk.com/en_us/blog/tips-and-tricks/installing-and-managing-splunk-stream-in-a-distrib...

0 Karma

inventsekar
Ultra Champion

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

0 Karma

mikefg
Communicator

Thank you, this helps. Just wanted to make sure there wasn't any newer recommended way to setup Stream. I'll proceed with a standalone server.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...