Can a deployment server be clustered somehow?

robertlabrie · ‎06-15-2015

Hi,

Splunk 6.2 on Windows.

Can/should a deployment server be clustered somehow? I can't find any docs on this. I imagine shared data on NFS and servers behind a load balancer.

woodcock · ‎07-18-2015

Watch this video and pay special attention to "Hierarchical Deployments":

https://www.youtube.com/watch?v=3i3Sz3aPrts

woodcock · ‎06-15-2015

You could have a "main" DS that deploys only to subordinate DS nodes and have a cron job on each subordinate DS that runs every few minutes and synchronizes everything in $SPLUNK_HOME/etc/apps to $SPLUNK_HOME/etc/deployment-apps and then hand-manage (or use load-balancer/VIP) to have your forwarders spread out across each of your subordinate DS instances.

robertlabrie · ‎06-16-2015

So if I do that, forwarder management is going to be hit or miss right? Effectively every subordinate DS is a standalone? The "main" DS has the server classes, but I won't see what clients are connected? I'm guessing the information about clients doesn't live in /etc?

woodcock · ‎06-20-2015

You should be able to get the client connection information from _internal on your Search Head.

The documentation talks about how DS performance can break down with relatively few clients/connections here:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Updating/Calculatedeploymentserverperformance

Unfortunately it really doesn't tell how to mitigate other than to change PhoneHome settings.

Can a deployment server be clustered somehow?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?