Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Deployment Server: Best practices for scaling

coltwanger
Contributor
‎01-31-2017 11:59 AM

We've currently got just one DS in our environment handling about 1100 forwarders. Performance has been pretty stable at this level, but I'm wondering what the cap is. We may be tasked with adding another 5000-6000 more UFs to capture logs from our workstations (thanks, Splunk, for removing Win7 support in 6.5+ by the way /s). I'm wondering how other admins balance their clients vs multiple (if necessary) deployment servers.

I'm wondering if it may be more feasible to configure Windows Event Collector and stand up a couple 2012 boxes, then collect using the UF/HF from there for this new set of clients.

Reply

hrawat
Splunk Employee
Splunk Employee
‎08-06-2021 09:46 PM

Try out following answer.

https://community.splunk.com/t5/All-Apps-and-Add-ons/Deployment-Server-scalability-best-practices/m-...

0 Karma
Reply

koshyk
Super Champion
‎02-22-2017 01:41 PM

We have tested with 5000 clients and with 30mins polling interval. Works smooth.
The only problem is the time taken to deploy the code config into all the configs (which may be Ok in most of the customers), but you need to think into it. A good link is this. So for 5000 clients, for a 50MB apps it takes 50mins to apply the code.
Also when you extend try to make the serverclass.conf may become unmanageable. WE do script it with csv files rather than putting wildcards to prevent conflicts

Reply

mirkoneverstops
Path Finder
‎02-01-2017 06:04 AM

In case you use intermediate Heavy Forwarders you can leverage on them also as intermediate Deployment Servers.
See picture below as an high level overview:

alt text
If you need additional details let me know.

Preview file
33 KB
Reply

ics_ernst
Engager
‎01-30-2018 04:44 AM

Can you please explain a bit how to use an intermediate deployment server.

  • Which directories on the heavy forwarder are used? (only $SPLUNK_HOME/etc/apps for both, receiving and pushing apps?)
  • Usage of repositoryLocation and/or targetRepositoryLocation setting (only repositoryLocation = $SPLUNK_HOME/etc/apps?)
  • Can targetRepositoryLocation be used on serverClass level? According to documentation, this is not possible. But needed, if connecting heavy and universal forwarders to the central deployment server (so, only repositoryLocation can be used in this case?)
  • stateOnClient is used to enable the app contents only on the target universal forwarder?
  • The serverclass.conf for the heavy forwarder is deployed by a seperate app?
0 Karma
Reply

coltwanger
Contributor
‎02-01-2017 09:14 AM

This is a good point, and this is how we forward logs out of the DMZ, but I hadn't considered using them as Deployment Servers in our internal network (duh). Thanks for the additional info!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-01-2017 11:22 AM

Off-topic side note: If you do use intermediary forwarders, make sure you have at least 2x forwarders than indexers to prevent potential issues with even event distribution across your indexers. Often, intermediary forwarding tiers introduce such issues, if not properly architected.
You can employ parallel pipelines on your forwarder to make them behave like multiple instances.

0 Karma
Reply

coltwanger
Contributor
‎02-01-2017 11:27 AM

Would you still experience the uneven distribution of events even with forceTimebasedAutoLB enabled in outputs.conf on the intermediate forwarder?

We're rolling 6 indexers and have one IF in the DMZ for ACL reasons, and one internally as a syslog relay (with rsyslog). It doesn't appear to be an issue at this point (ingesting 250GB-300GB/day) but that doesn't necessarily mean it won't cause us issues as we expand.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-31-2017 02:57 PM

Hello coltwanger,
we have tested DS performance on a 2 CPU box with 10000 deployment clients (10 Apps, 10 server classes). You should be fine, but a lot depends on how many apps and serverclasses you have and what your expectations are with respect to deployment times.
Many larger customers also tune their phoneHomeInterval to a larger number to help with Deployment server load.

We don't generally recommend going the WEC server route, because it requires custom processing to preserve the source hostname and causes some of our TAs for Windows-related apps to not work properly. I would stay away from that if you can.

HTH!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...