Deployment Architecture

Deployment server: 2nd install of Splunk on an indexer?

twinspop
Influencer

When planning my Splunk deployment I didn't allow for a separate deployment server. My 2 indexers are quite brawny (16 CPU, 64 GB) beasts that are not being taxed in any way, so one of the indexers could likely support a deployment server in addition to it's normal load.

Are there any advantages to making a fresh install of Splunk on the same box, listening on different ports obv, compared to just activating one of the Index installs as a deployment server? There will be a few hundred SUF installs talking to the DS. One of my concerns is restarts required by changes to the DS. (Not having run a DS for any real install, I'm not clear how often a restart is required.)

Thanks,

jon

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.

On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.

As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.

Hope this helps!

View solution in original post

Jason
Motivator

I often do this when installing enterprise-grade Splunk installations, if the server is brawny like yours.

Also you mentioned restarts - you should never have to restart a machine when working with Splunk - only restarting Splunk. Or in the case of Deployment Server, running ./splunk reload deploy server to reload the Deployment Server's configuration.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Generally speaking, I think that if your going to have a couple hundred clients talking to the deployment server, it is certainly better to break this functionality out into another splunkd. In your circumstances, there is no question that a separate instance of Splunk for this vs turning one of your Indexers into a deployment server is the way to go. The problem is that if you use a single instance, you risk saturating the communication ports that deployment server is using, and that is going to negatively effect your ability to search.

On the other side of the coin, I would also expect that having 2 separate instances is going to increase your CPU and Memory utilization, as you'll have 2 sets of processes running. But given the resources available, I wouldn't think this is going to be a problem for you.

As an aside, when you start to poll large numbers of clients, you might want to consider increasing the pollFrequency. This can allieviate some of the load that would be caused by constantly checking for updates.

Hope this helps!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...