I would like to set up a splunk deployment server, but I'm not sure where the file of configuration has to be stored: default or local?
I read the documentation about it, but I'm not sure that I have an understand how it is working.
All the configuration about my architecture can be stored in the deployment server folder? So all the index.conf, props.conf?
If my deployment server is separated by the indexer? So for example I have a big search head with the deployment server and 5 indexer separated, and this indexer are getting data from the forwarder, can I configure index and forwarder in the deployment server?
How can I do it?
Thank you so much!
You should create apps under
$SPLUNK_HOME/etc/deployment-apps/VariousAppsHere/default/ on the server that is to act as DS. These apps should include:
indexer (or similar) that has all of your indexer configuration files (
someapp (or similar) for each different kind of input/sourcetype (
deploymentclient (or similar) that contains
Interesting thing @woodcock - I don't see any
deploymentclient.conf on my deployment server but the
deploymentclient.conf does exist on the forwarders. Where does it come from?
You have to create your own
deploymentclient app that should include
deploymentclient.conf in the
default directory. The first time that you deploy a forwarder, you will have to put this app on your forwarder manually but after that, you can manage it from your DS.
I have the same understanding issue.
If I would like to make SH along with DS in the same instance what are the conf file need to create and where (default or local) and additionally which instance (like IDX and UF).
Similarly, if there is standalone DS instance.
The thing that makes any Splunk server a DS is the presence of a
serverclass.conf file, typically in
$SPLUNK_HOME/etc/system/local/serverclass.conf. So on a fresh install or an existing Search Head, just create that file and restart Splunk and it is now a DS.
See my answer.
Thanks for your responds with a crystal clear answer. As I am just a newcomer on this platform, it really help me to build the concept.
Similarly, on each IDX, UF and HF instance under $SPLUNK_HOME/etc/system/local/, do I need to create deploymentclient.conf. This will not be applicable for SH, although if I have separate DS instance.
If you are using DS, never put anything in
$SPLUNK_HOME/etc/system/local because then it cannot be controlled (overridden) from the DS. Instead create a
DeploymentClient app and then manually deploy this to your Deployment Clients the first time. This way you can hand individual clients (or classes of them) back and forth to different DS nodes (i.e. lab vs production) from each DS.
The only gotcha is that you should NOT deploy to clustered Indexers or clustered Search Heads.