Deployment Architecture

Deployment Server vs. Deployer

shandman
Path Finder

I am having a hard time trying to understand the difference between the two. I wonder if Splunk can make future name changes to make this more clear.

i.e.
Caution: You must use the deployer, not the deployment server, to distribute apps to cluster members. Use of the deployer eliminates the possibility of conflict with the run-time updates that the cluster replicates automatically by means of the mechanism described in "Configuration updates that the cluster replicates."
= This is a snip it from http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/PropagateSHCconfigurationchanges

What I am trying to do.
1. Deploy LDAP to Search Head Cluster (going from an old architecture which used just a stand alone splunk server. single authentication.conf works with LDAP).
2. From what I"m reading, I need to create an application, and use my Cluster Master (which is secretly also called the deployer / correct me if I'm wrong) to push the app by placing in :
$SPLUNK_HOME/etc/shcluster/
apps/
/
/
3. I can not find anywhere, steps on how to create an app by using the Cluster Master / Deployer. I CAN find instructions on how to create apps using the deployment server.... which is different than the Cluster Master / Deployer.

Can Splunk make this any more unclear?

acharlieh
Influencer
  • A deployer is used to deploy apps to a search head cluster.
  • A cluster master is used to deploy apps and manage replication within an indexer cluster (single or multi-site)
  • A deployment server is used to deploy apps to forwarders (and technically could be used to deploy apps to other Splunk servers as well but with a number of caveats)

A Splunk instance can play any set of these roles (and a few others) simultaneously, but they are distinctly different things. And could be deployed on separate Splunk instances.

"Can Splunk make this any more unclear?"
- Be careful what you wish for since it might come true. 🙂

shandman
Path Finder

Thank you for the response acharlieh.

The server I am using as my Cluster Master is, cmgr1.splunk.hq1.xxx.com (stands for cluster master).

In my directory structure I have:
/opt/splunk/etc
/master-apps - this is for my index cluster
/shcluster - this is for my search head cluster ... no?

So is my server cmgr1.splunk.hq1.xxx.com, serving as both a deployer, and cluster master?
Is this normal? I just followed standard setup for my new splunk architecture.

My architecture is:
Search Head Cluster = fe1.splunk.hq1.xxx.com, fe2.splunk.hq1.xxx.com, fe3.splunk.hq1.xxx.com
Index Cluster = idx1.splunk.hq1.xxx.com, idx2.splunk.hq1.xxx.com, idx3.splunk.hq1.xxx.com, idx4.splunk.hq1.xxx.com, idx5.splunk.hq1.xxx.com
Cluster Master = cmgr1.splunk.hq1.xxx.com
License Master = lmgr1.splunk.hq1.xxx.com
Deployment Server = dply1.splunk.hq1.xxx.com

0 Karma

shandman
Path Finder

In follow up, I just want to know how to deploy an app to my search head cluster. Is it just a matter of creating a directory with the authentication.conf file into the /opt/splunk/etc/shcluster directory and then run the splunk apply schcluster-bundle command?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...