Deployment Architecture

Deployment Server and how to configuring clients to send to Index

jacksonrolfe1
Engager

Hi All,

I am having trouble understanding/implementing the concept of deployments servers and how the deployment clients send data to the indexes.

On the Deployment Server Web when you go into add data you select clients/create server class etc. This gets saved in the deployment apps folder with all the .conf files. Then then reload deploy server. I understand that much.

What I don't understand and My question is when we are in the Deployment Server Web setting up a new data input. After we select our clients and server classes, we also can choose the index.

This confuses me because The deployment server doesn't store index's right?

Do we pre configure the indexes on the indexer before we set up a deployment server or when we select the 'create new index' from the Deployment Server Web. when we push this out to our deployment clients, will this create the newly created index, on the indexer?

hope this makes sense.

thank you all

0 Karma

BlueSocket
Communicator

You ALWAYS configure the Indexes on the indexer(s) before doing anything with the Deployment Server to set up inputs from the forwarders/clients. If you do not do this, you will start getting errors on the Indexers about events being sent to it that are set for an unknown index. So... before you configure the DS to tell the forwarders to send to the new index, make sure that you have configured the new index on the indexers, so that it/they are ready to receive from the endpoints.

You CAN SAY that you WANT to set up an index from the Deployment Server, BUT you are only telling the endpont forwarder to create the input and send it to the nominated NEW index on the indexers. If you create the new index on the DS, It WILL create the index on the DS, but this would be redundant, as the DS will not receive the data, as you are forwarding to the indexer(s).

Why should we be able to get the DS to create an index on itself? Well, this is valid functionality in the case where there is just one Splunk server, fulfilling all of the roles, as it is an Indexer in that case.

jacksonrolfe1
Engager

Thank you very much BlueSocket! I was confusing myself and you helped clear things up perfectly. Deployment sever is now working and clients are now sending data the newly created indexes!

0 Karma

woodcock
Esteemed Legend

You can do whatever you like from the Search Head GUI of the Deployment Server but NONE of it will be deployable because everything done in the GUi will be saved into $SPLUNK_HOME/etc/apps/. Apps are deployable when they are put into $SPLUNK_HOME/etc/deployment-apps/ and this move can only be done from the CLI (or perhaps from the REST API).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...