Deployment Architecture

After all clients are registered to a deployment server, why are only half of the number of clients detected in forwarder management?

ronisetiadi
Engager

I want to configure dedicated deployment server for 50 clients, my deployment server specification is Oracle Linux, 12GB RAM, 8 CPU Cores.
But after all clients are registered to deployment server, only 25 clients detected in Forwarder Management, I try to reload using Splunk reload deploy-server command, for a while 50 clients detected and after that it's back to 25 clients.

0 Karma

lguinn2
Legend

The forwarder management dashboard does not look very far back in time. So if your deployment clients are phoning home infrequently, they may not show up in the dashboard. I don't think that you can adjust that dashboard, but you could also look at the Distributed Management Console to see if the clients are sending data, etc.

And here are some searches that you can customize for yourself. I would run the searches for at least the last hour, perhaps longer.

Are apps being downloaded? Also shows when Splunk was restarted:

index=_internal sourcetype=splunkd (component=DeployedApplication OR component=PackageDownloadRestHandler OR 
   (component=loader start OR restart)) | table _time log_level host app message component | reverse

Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR component=DC:HandshakeReplyHandler OR component=ClientSessionsManager 
| reverse | table _time host log_level message component

A couple of more general searches that you can use a starting point:

index=_internal component=metrics group=deploy* sourcetype=splunkd

index=_internal sourcetype=splunkd component=ClientSessionsManager OR component=DC:DeploymentClient OR    
  component=DSManager OR component=DS_DC_Common OR component=DeploymentServer

Now that you have these searches, you could customize them to help you answer specific diagnostic questions like "When was the last time that a particular client downloaded anything?" or "When was the last time that this app was downloaded by any client?"
Also remember that the log_level field will distinguish between errors, warnings and other message types.

HTH

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What is your phone home interval, and are you sure that your hosts are able to connect fully? Sometimes a statefull firewall might be blocking the connection.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...