Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After all clients are registered to a deployment server, why are only half of the number of clients detected in forwarder management?

ronisetiadi
Engager
‎10-10-2016 09:20 PM

I want to configure dedicated deployment server for 50 clients, my deployment server specification is Oracle Linux, 12GB RAM, 8 CPU Cores.
But after all clients are registered to deployment server, only 25 clients detected in Forwarder Management, I try to reload using Splunk reload deploy-server command, for a while 50 clients detected and after that it's back to 25 clients.

0 Karma
Reply

lguinn2
Legend
‎10-10-2016 09:54 PM

The forwarder management dashboard does not look very far back in time. So if your deployment clients are phoning home infrequently, they may not show up in the dashboard. I don't think that you can adjust that dashboard, but you could also look at the Distributed Management Console to see if the clients are sending data, etc.

And here are some searches that you can customize for yourself. I would run the searches for at least the last hour, perhaps longer.

Are apps being downloaded? Also shows when Splunk was restarted:

index=_internal sourcetype=splunkd (component=DeployedApplication OR component=PackageDownloadRestHandler OR 
   (component=loader start OR restart)) | table _time log_level host app message component | reverse

Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR component=DC:HandshakeReplyHandler OR component=ClientSessionsManager 
| reverse | table _time host log_level message component

A couple of more general searches that you can use a starting point:

index=_internal component=metrics group=deploy* sourcetype=splunkd

index=_internal sourcetype=splunkd component=ClientSessionsManager OR component=DC:DeploymentClient OR    
  component=DSManager OR component=DS_DC_Common OR component=DeploymentServer

Now that you have these searches, you could customize them to help you answer specific diagnostic questions like "When was the last time that a particular client downloaded anything?" or "When was the last time that this app was downloaded by any client?"
Also remember that the log_level field will distinguish between errors, warnings and other message types.

HTH

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 09:51 PM

What is your phone home interval, and are you sure that your hosts are able to connect fully? Sometimes a statefull firewall might be blocking the connection.

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...