Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hardware requirements for deployment server in large deployment?

carmackd
Communicator
‎03-08-2011 06:08 PM

I'm currently reviewing the Splunk deployment server as a possibility to manage 4 search heads and 10 indexers, and conceivably thousands of forwarders in the future. Since the potential is there, I'm considering this a large deployment and plan on using a dedicated instance of Splunk to manage. What is the minimum hardware i should be considering for this size deployment? Could I get by with using a VM?

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎04-07-2011 11:56 PM

Simple recommendations for deployment server :

If you can, Use a dedicated deployment server.
or if you really have no choice, on linux you can have a second instance of splunk.

License

  • on splunk 4.1.- you can use the forwarder license for the dedicated deployment server
  • on splunk 4.2 make it a license.slave

Server settings

Client Settings

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-17-2011 05:04 PM

A single deployment server can have trouble to server more than 500 clients.
It's recommended to have several deployment servers (on different instances or different boxes).

Reply
Solved! Jump to solution

vbumgarner
Contributor
‎07-29-2011 12:17 PM

So what's the best solution for many forwarders? "Stacked" Deployment Servers? Or can you put a load balancer in front of several other deployment servers? Will the checksums match if clients hit different deployment servers each time?

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎04-07-2011 11:56 PM

Simple recommendations for deployment server :

If you can, Use a dedicated deployment server.
or if you really have no choice, on linux you can have a second instance of splunk.

License

  • on splunk 4.1.- you can use the forwarder license for the dedicated deployment server
  • on splunk 4.2 make it a license.slave

Server settings

Client Settings

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎06-20-2018 11:02 AM

since Splunk 5.* this was greatly improved
A single DS can now handle more than 1000+ to 10000 clients, and the phonehome interval strategy is better.
however this is still a single threaded process.

0 Karma
Reply
Solved! Jump to solution

wdhathaway
Explorer
‎03-08-2011 11:19 PM

I agree a VM should be fine. If you do end up having resource constraints, you can also tune how often the clients ping the deployment server for updates. By default it checks for updates every 30 seconds, but you could tune this to be 5/30/whatever mins for the forwarders, and have a much lower load on the deployment server. See the docs at: http://www.splunk.com/base/Documentation/latest/admin/ConfigureDeploymentClients, in particular the phoneHomeIntervalInSecs setting.

Reply
Solved! Jump to solution

LCM
Contributor
‎03-08-2011 07:57 PM

Yes, a VM is fine. It doesn't need lots of resources since files only get deployed and nothing else is being done on it. Maybe in future with thousands of indexers some HW should be considered, but I guess you gonna see how it'll perform than.

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top