Deployment Architecture
Highlighted

Hardware requirements for deployment server in large deployment?

Communicator

I'm currently reviewing the Splunk deployment server as a possibility to manage 4 search heads and 10 indexers, and conceivably thousands of forwarders in the future. Since the potential is there, I'm considering this a large deployment and plan on using a dedicated instance of Splunk to manage. What is the minimum hardware i should be considering for this size deployment? Could I get by with using a VM?

Highlighted

Re: Hardware requirements for deployment server in large deployment?

Contributor

Yes, a VM is fine. It doesn't need lots of resources since files only get deployed and nothing else is being done on it. Maybe in future with thousands of indexers some HW should be considered, but I guess you gonna see how it'll perform than.

Highlighted

Re: Hardware requirements for deployment server in large deployment?

Explorer

I agree a VM should be fine. If you do end up having resource constraints, you can also tune how often the clients ping the deployment server for updates. By default it checks for updates every 30 seconds, but you could tune this to be 5/30/whatever mins for the forwarders, and have a much lower load on the deployment server. See the docs at: http://www.splunk.com/base/Documentation/latest/admin/ConfigureDeploymentClients, in particular the phoneHomeIntervalInSecs setting.

Highlighted

Re: Hardware requirements for deployment server in large deployment?

Splunk Employee
Splunk Employee

Simple recommendations for deployment server :

If you can, Use a dedicated deployment server.
or if you really have no choice, on linux you can have a second instance of splunk.

License

  • on splunk 4.1.- you can use the forwarder license for the dedicated deployment server
  • on splunk 4.2 make it a license.slave

Server settings

Client Settings

View solution in original post

Highlighted

Re: Hardware requirements for deployment server in large deployment?

Splunk Employee
Splunk Employee

since Splunk 5.* this was greatly improved
A single DS can now handle more than 1000+ to 10000 clients, and the phonehome interval strategy is better.
however this is still a single threaded process.

0 Karma
Highlighted

Re: Hardware requirements for deployment server in large deployment?

Splunk Employee
Splunk Employee

A single deployment server can have trouble to server more than 500 clients.
It's recommended to have several deployment servers (on different instances or different boxes).

Highlighted

Re: Hardware requirements for deployment server in large deployment?

Contributor

So what's the best solution for many forwarders? "Stacked" Deployment Servers? Or can you put a load balancer in front of several other deployment servers? Will the checksums match if clients hit different deployment servers each time?

0 Karma