Deployment Architecture

Deployment Server: Automated Reload/Push


Hi All,

I have had a look through some Q&A on here, but haven't really seen much in the way of automation with regards to the Deployment Server... I hope I have not missed something blindingly obvious/stupid.

I have a use-case where regular changes happen within the deployment that need to be distributed to forwarders, mainly lists of hosts which need to be passed to a collection script. The user maintains this list from Splunkweb, with the help of a python script. In this script I have included a subprocess to call the "./splunk reload deploy-server" command, which is fine.

I was, however, wondering about having a script running in the background which does a periodic reload of the deployment server to confirm that all of the deployment is up-to-date, perhaps running every 5 minutes (perhaps).

Has anyone done anything similar to this?
Are there any pitfalls to watch out for?
Any reason why I shouldn't do this?

Thanks in advance,



I think pitfalls depend on the scope of your overall deployment, how you handle change management, and how many people update content to be pushed via the deployment server. For example in my environment via 1 DS I manage all ~950 forwarders + my indexers + search heads. The indexers and SHs via the serverclass.conf aren't configured to automatically reboot when new data is pushed though I can adjust that depending on the time of day as I don't want to kick folks off the system during the normal production hours. At any rate easy enough to mitigate though something to keep in mind.

The other side of this would be how timely is it to make sure new data is coming into the system relative to changes (will data be lost after X minutes/hours?) and how often do your forwarders check in? It seems as though you've baked in a process to reload the DS when there is a user initiated update which should cover most updates(?). Every 5 minutes seems a bit excessive to me /shrug. I'd lead toward once a day maybe.

0 Karma


I know fschange is being deprecated, but Splunk still uses it for monitoring it internal files. Why not added your deloyment folder to fschange. Using a schedule search for any changes, on your specifed interval, to that folder kick off your macro to run reload deploy-server. Just an idea.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...