Deployment Architecture

How to install multiple instances of Splunk 6.4 on a single Linux server?

brdr
Contributor

I need to install multiple instances of Splunk 6.4 on a single Linux server. For example, I would like to know how I can set up 4 indexers on a single instance. This is not for production, merely to test out clustering in DEV. Could you please point me to the documentation? Thank you.

Tags (3)
0 Karma

AnilPujar
Path Finder

I configured for windows, with the step by step setup guide, it's working perfectly fine.

https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

0 Karma

brdr
Contributor

Thanks.. I was able to create a DEV environment with 2 servers in a cluster environment with indexer replication....

1 server has separate instances for:
- cluster master
- deployment server
- forwarder
- and 2 search heads

1 server has 2 separate indexers instances...

The .conf files that need to be changed to support multiple instances are :

web.conf
inputs.conf
outputs.conf
server.conf

All in the /etc/system/local directory. All the above instances are license slaves, with License Master sitting on another dedicated server.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Thanks, if you feel you've provided the answer, please mark it as such.

I'd like you to know that the cluster master can also be the deployment server if you like...

0 Karma

jkat54
SplunkTrust
SplunkTrust

seeing as how there isn't any documentation on this subject other than what you may have already found... Can you let us know how we could answer your question short of writing a document for you?

0 Karma

jwiedow
Communicator

Have you looked at the possibility of using Docker to achieve what you are looking for?

Using Docker you should be able to create a private network with multiple instances of Splunk Enterprise to create a mini Index Cluster.

MuS
SplunkTrust
SplunkTrust

I can double this.
Or another approach, create 4 small VM's on your PC/Laptop with each having 1vCPU and 256Mb RAM (Which is completely out of range in regards of system specs!) and you can run your DEV / QATEST cluster this way.
I know this works perfect, because I run a cluster like this on my MacBook 😉

cheers, MuS

0 Karma

jkat54
SplunkTrust
SplunkTrust

So if you have multiple indexers on the same box as part of the same cluster... How will they all bind to the same port?

With multiple network cards or IP addys it's possible I believe... or in virtual box it would be possible if you're using a virtual switch.

Otherwise you can't bind to same port on the same IP.

You can also run more than one Splunk instance on a box specifying different port numbers for each install but then you can't cluster them together.

Like 5089,6089,7089,8089
5000,6000,7000,8000 and so on. Just note that Splunk binds to an IP and Port and once bound, nothing else can open that port on that IP.

You can add hundreds even thousands+ of IPs to one NIC in windows and linux.

grijhwani
Motivator

Splunk is not designed to run multiple instances. That doesn't mean you can't. But it is unecessary hard work when there are so many ways to just virtualise.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Well, the documentation says that each node in an indexer cluster must be on a separate instance, and that each instance must run on a separate machine or virtual machine. See System requirements and other deployment considerations for indexer clusters in the Managing Indexers and Clusters of Indexers manual. So if you want to set up multiple VMs on your single server, you could do it that way.

0 Karma

brdr
Contributor

Thanks ChrisG. I took the Clustering class this week and the instructor had a single VM that hosted 4 indexers. And another VM hosted 4 search heads - both of these clustered.

/opt/idx1
/opt/idx2
/opt/idx3

For DEVELOPMENT purposes I want to setup something similar. I found a document in splunk community wiki but it was written in 2013. I was wondering if perhaps there was a newer version.

0 Karma

ddrillic
Ultra Champion

You should be just fine with multiple instances on the same server for development and it makes perfect sense. You "just" need to administer the ports and the file system carefully. After all, the software needs a couple of ports open and certain areas in the file systems - nothing too complex.

Usually for this sort of things you won't find an official document, which is unfortunate.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...