In the "Architecting and Deploying Splunk" training course, there is the following comment on having a deployment server and a search head on the same physical box:
"[Deployment server] can be shared with another component (e.g. search head) if there is low load and capacity on the other box
– Make sure to run it as a separate Splunk instance"
But why do we have to run the deployment server as a separate Splunk instance?
Here is my line of logic:
Everything a deployment server cares about is under this directory:
Everything the search head cares about is under this directory:
( and possibly some additional apps under $HOME/splunk/etc/apps )
From a configuration point of view, these two areas don't interfere with each other. So, are there other reasons why they cannot coexist in one Splunk instance? What would happen if they do?
No idea. We run search and deployment on the same server as part of the same service, have done for 5 years, and have never had difficulties. My guess would be future-proofing in case there was a later need to segregate the two for capacity reasons.