Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forcing a Deployment Server to Not Attempt to Resolve IP Address

jchensor
Communicator
‎11-21-2011 06:03 PM

Hello, everyone.

When it comes to Indexers, there is an option you can use in "inputs.conf" where you add the following line to your "splunktcp" stanza:

connection_host=ip

What this will do is that, when the Indexer receives an event from a Forwarder, it will not try to resolve the IP Address of the Forwarder into its DNS name. I've had several timeout issues and broken pipes caused by this attempt to resolve the DNS name. So adding the setting above fixes the problem.

However, I believe the same thing is happening on my Deployment Server. When forwarders connect to my Deployment Server to look for new settings, the Deployment Server locks up, particularly with public subnets, because I believe it is trying to resolve all of the IP Addresses.

So the question is: Is there an equivalent setting or does anyone know of a way that I can configure the Deployment Server to NOT try and resolve the IP Addresses of all of the Forwarders that contact it to look for new settings?

Any ability to do such a thing would be greatly appreciated. Thanks, everyone!

EDIT: I should also add that my Deployment Server is on a Unix-based platform, so even if there's some configuration I can do to the machine's network settings, I'd be happy with that.

  • James
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-21-2011 06:25 PM

I don't think there is such an option. Classifying hosts by name is one of the most crucial functions of Splunk Deployment Server. I wouldn't expect name resolution to wedge up a Deployment server - unless you're saying you have many clients connecting that don't have valid reverse DNS.

What I might suggest is running a local caching DNS server on your deployment server host. Then you'll at least get a quick answer that reverse DNS could not resolve. BIND can do this pretty easily, but for many practical purposes, dnsmasq is just as good.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...