Deployment Architecture

Can a forwarder be client of two deployment servers?

tcmarquesi
Explorer

I would like to configure one of my forwarders to be part of two deployment pools. In the deploymentclient.conf's doc page¹ I saw there is a clause targetUri2 = <uri>, where URI follows the format <scheme>://<deploymentServer>:<mgmtPort>.

So, is this targetUri2 clause for what I want to do? In positive case, what is the "scheme" entry? What is the proper sintax for use this?

Thanks in advance.

[1] https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Deploymentclientconf

0 Karma
1 Solution

lycollicott
Motivator

First, why do you want to do this?

Second, I don't think that will work and I'm not sure why it is in the documentation - if it will work then it needs some more thorough documentation.

I tried it on 6.3.4 & 6.4.2 Universal Forwarders and they both threw this error:

Invalid key in stanza [target-broker:deploymentServer] in C:\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf, line 5: targetUri2  (value:  ds.domain.com:8089).

View solution in original post

lukejadamec
Super Champion

You can have multiple deployment servers, but this is for large environments for speed and redundancy. It is not intended for different deployment configurations.

From your comment, it might make sense to have a special config for the test system that needs to also send data to the production environment, and control that from the test deployment server.

0 Karma

lycollicott
Motivator

First, why do you want to do this?

Second, I don't think that will work and I'm not sure why it is in the documentation - if it will work then it needs some more thorough documentation.

I tried it on 6.3.4 & 6.4.2 Universal Forwarders and they both threw this error:

Invalid key in stanza [target-broker:deploymentServer] in C:\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf, line 5: targetUri2  (value:  ds.domain.com:8089).

tcmarquesi
Explorer

Thank you very much @lycollicott!

I'm on an uncommon environment, maybe even trying an undue architecture. I have two parallel systems for production and test purposes, and one particular host from the test environment have to send data for the production indexes exceptionally...

lycollicott
Motivator

Oh, so if I understand your comment correctly then you don't really need two deployment servers....you need to send some data from test to prod sometimes. Is that correct?

0 Karma

lukejadamec
Super Champion

Yes. The deployment server will send what ever configuration you want to run on the forwarder. It sounds like you need to isolate that system, because it has a unique configuration.
You can also use one deployment server to manage both production and test systems if you can separate them such that one config goes to the test systems and another goes to the production systems.

From a deployment server perspective, this is actually quite basic. In an environment with a hundred or so servers you'll probably have a dozen or more groups each with its own config, and each group is managed from one central location - the deployment server.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...