Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chronology of Splunk Deployment

sarwshai
Communicator
‎01-17-2020 01:06 AM

I need to build Splunk Distributed Environment, how should i configure the different components. I have License/Cluster Master, Indexers, search head and Deployment Server.

I am thinking of below chronology,

1. License/Cluster Master/Deployment Server
2. Indexers
3. search head
4. Heavy Forwarder

Is it right enough, or is there a better way? Also what precautions/prequisite should i keep in mind while deploying all these?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2020 01:19 AM

Hi @sarwshai,
The order you defined it's correct, I'd change only Deployment Server:

  • it's correct to start from Master Node/License Master;
  • Search Peer should be configured immediately after MN (or in the same time);
  • Then Search Heads;
  • You can start with Deployment Server when you'll start with the periferals systems (Heavy and Universal Forwarders);
  • At this point you can start with the Heavy Forwarders;
  • ath the end you should start with Universal Forwarders.

Only some little hints:

  • forward the logs of all systems to the indexers,
  • configure a system as Monitoring Console and configure it: it should be better to use a dedicated server or, if you haven't an heavy load on the Master Node, you could use it, but not DS, Indexers and SHs.

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2020 01:19 AM

Hi @sarwshai,
The order you defined it's correct, I'd change only Deployment Server:

  • it's correct to start from Master Node/License Master;
  • Search Peer should be configured immediately after MN (or in the same time);
  • Then Search Heads;
  • You can start with Deployment Server when you'll start with the periferals systems (Heavy and Universal Forwarders);
  • At this point you can start with the Heavy Forwarders;
  • ath the end you should start with Universal Forwarders.

Only some little hints:

  • forward the logs of all systems to the indexers,
  • configure a system as Monitoring Console and configure it: it should be better to use a dedicated server or, if you haven't an heavy load on the Master Node, you could use it, but not DS, Indexers and SHs.

Ciao.
Giuseppe

Reply
Solved! Jump to solution

sarwshai
Communicator
‎01-17-2020 01:26 AM

Thanks for the suggestion, one point to clarify. I am planning to configure DS on License/Cluster master itself due to hardware restrictions, will it work smoothly (because planning to keep all managment roles under one server)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2020 02:37 AM

Hi @sarwshai,
No: Deployment Server must be on a dedicated server when it manages more than 50 clients and anyway never can be shared with the Master Node.
You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.0.1/Updating/Planadeployment#Deployment_server_and_ot... .

When you'll use a Search Head Cluster, you'll be able to configure Deployer on Master Node, but Deployment Server is an Heavy roale and cannot use shared hardware (when more than 50 clients to manage).

Ciao.
Giuseppe

Reply
Solved! Jump to solution

sarwshai
Communicator
‎01-17-2020 03:16 AM

Thanks @gcusello for the info.

0 Karma
Reply
Solved! Jump to solution

sarwshai
Communicator
‎01-17-2020 03:34 AM

@gcusello , still have one doubt, can i configure DS on Heavy Forwarder instead of License/Cluster master

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2020 04:07 AM

I don't like it! but if you cannot use a dedicated server (better!).
Ciao.
Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...