The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Scale easily with deployment servers and config files

To support larger environments, where data originates on many machines and where many users need to search the data, you can scale your deployment by installing Splunk across different machines. When you do this, you configure the Splunk instances so that each one performs a specialized task. For example, one or more instances might index the data, while another manages searches across the data. This is known as a distributed deployment.

Splunk provides a deployment server and configuration files to help you manage a distributed deployment and keep the configurations coordinated.

How a deployment server and config files help you scale efficiently

A deployment server gives you a single interface to manage configuration files, apps, and content updates to most Splunk Enterprise components: forwarders, non-clustered indexers, and search heads in a Splunk distributed deployment.

Things to know

A deployment server is a smart solution to manage a Splunk distributed deployment. Unfortunately, you cannot use a deployment server to manage clustered indexers or search head clusters, or upgrade installations of Splunk. But fear not, we'll come back to these topics in a future email.

When you plan a deployment that includes a deployment server, you will configure deployment clients, create deployment apps, and create server classes on the deployment server. Here are the terms you need to know:

• Deployment: A set of distributed Splunk instances, working together.
• Deployment server: A Splunk instance that acts as a centralized configuration manager, grouping together and collectively managing any number of Splunk instances.
• Deployment client: A Splunk instance that is remotely configured by a deployment server.
• Server class: A group of deployment clients that facilitate the management of a set of deployment clients as a single unit.
• Deployment app: A unit of content deployed by the deployment server to a group of deployment clients. Deployment apps can be fully developed apps, such as those available in Splunkbase, or they can be a simple group of configurations.
• Distributed search: A deployment topology that portions search management and search fulfillment/indexing activities across multiple Splunk instances.

Things to do

• Plan your deployment. Plan a deployment to make sure that the OS and Splunk software versions on your deployment server and client are compatible. Also make sure the deployment server is on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head.
• Manage the deployment server. Manage the deployment server to provision deployment server resources and estimate how long it will take to download your apps to a set of clients.
• Set up a client. Configure deployment clients to receive data from the deployment server. Use the forwarder management interface to manage the update process across all Splunk instances.
• Deploy an app to your clients.nCreate a server class to map a group of deployment clients to one or more deployment apps to update the distribute configuration.