When planning my Splunk deployment I didn't allow for a separate deployment server. My 2 indexers are quite brawny (16 CPU, 64 GB) beasts that are not being taxed in any way, so one of the indexers could likely support a deployment server in addition to it's normal load.
Are there any advantages to making a fresh install of Splunk on the same box, listening on different ports obv, compared to just activating one of the Index installs as a deployment server? There will be a few hundred SUF installs talking to the DS. One of my concerns is restarts required by changes to the DS. (Not having run a DS for any real install, I'm not clear how often a restart is required.)
Thanks,
jon
Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.
On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.
As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.
Hope this helps!
I often do this when installing enterprise-grade Splunk installations, if the server is brawny like yours.
Also you mentioned restarts - you should never have to restart a machine when working with Splunk - only restarting Splunk. Or in the case of Deployment Server, running ./splunk reload deploy server
to reload the Deployment Server's configuration.
Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.
On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.
As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.
Hope this helps!