- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to deploy application in cluster environment?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created an application which contains all configuration of Index, Data Input, Sourcetype, Lookup, Fields and view and Dashboards.
I want to put all visualization (Dashboards) on Search Head and all other configuration of Data Input, Index, Lookup and Fields on Indexer.
Please suggest if you have any idea bout how to do this in cluster environment.
Highly appreciate your help.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, I wouldn't put all config items into a single app. I would put into multiple apps
1. Inputs which is used for collections only. Need to send to ONLY forwarders
2. addon which contains all the brain (eg extractions, regex logic, transformations etc.). deploy to Search Head cluster, Heavy forwarders & Indexers
3. DA/TA which contains the dashboard and front-end stuff - deploy only to Search Heads
Then for distributed deployment
- You need deployer to deploy to Search Head cluster. Just copy the apps to $SPLUNK_HOME/etc/shcluster/apps/ in the deployer and do a bundle deploy
- You need a cluster master to deploy to Indexer cluster. Copy the required TA's/addons to $SPLUNK_HOME/etc/master-apps/ and do a bundle deploy to indexer slaves
- For forwarders/HF , you can use deployment-server $SPLUNK_HOME/etc/deployment-apps/
How to set them up is shown by various documentation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, I wouldn't put all config items into a single app. I would put into multiple apps
1. Inputs which is used for collections only. Need to send to ONLY forwarders
2. addon which contains all the brain (eg extractions, regex logic, transformations etc.). deploy to Search Head cluster, Heavy forwarders & Indexers
3. DA/TA which contains the dashboard and front-end stuff - deploy only to Search Heads
Then for distributed deployment
- You need deployer to deploy to Search Head cluster. Just copy the apps to $SPLUNK_HOME/etc/shcluster/apps/ in the deployer and do a bundle deploy
- You need a cluster master to deploy to Indexer cluster. Copy the required TA's/addons to $SPLUNK_HOME/etc/master-apps/ and do a bundle deploy to indexer slaves
- For forwarders/HF , you can use deployment-server $SPLUNK_HOME/etc/deployment-apps/
How to set them up is shown by various documentation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@koshyk . I think you meant deployer instead of - You need Deployer to deploy apps to Search Head cluster. Just copy the apps to $SPLUNK_HOME/etc/shcluster/apps/ in the deployer and do a bundle deploy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @guru865 . My mistake . I've amended accordingly. Upvoted for pointing out the mistake
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you should read the Distributed Deployment Manual - http://docs.splunk.com/Documentation/Splunk/6.5.3/Deploy/Distributedoverview
This will help you understand how to configurations are to be deployed in clustered and non-clustered environments.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
