Deployment Architecture

Deployment server: 2nd install of Splunk on an indexer?

twinspop
Influencer

When planning my Splunk deployment I didn't allow for a separate deployment server. My 2 indexers are quite brawny (16 CPU, 64 GB) beasts that are not being taxed in any way, so one of the indexers could likely support a deployment server in addition to it's normal load.

Are there any advantages to making a fresh install of Splunk on the same box, listening on different ports obv, compared to just activating one of the Index installs as a deployment server? There will be a few hundred SUF installs talking to the DS. One of my concerns is restarts required by changes to the DS. (Not having run a DS for any real install, I'm not clear how often a restart is required.)

Thanks,

jon

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.

On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.

As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.

Hope this helps!

View solution in original post

Jason
Motivator

I often do this when installing enterprise-grade Splunk installations, if the server is brawny like yours.

Also you mentioned restarts - you should never have to restart a machine when working with Splunk - only restarting Splunk. Or in the case of Deployment Server, running ./splunk reload deploy server to reload the Deployment Server's configuration.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.

On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.

As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.

Hope this helps!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...