Deployment Architecture

How to set up new deployment server in a clustered environment?

vj_hawk21
Explorer

Team,

We have a search head cluster and indexer cluster in our current Splunk environment. We don't have a deployment server and we decided to set up a new one.

What are all the pre-requests that should be considered, since our current environment is on a clustering model?

Thanks.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

@vj_hawk21,

No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

in few words:

  • Install a Splunk server that forwarders its logs to indexers,
  • create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
  • install Universal Forwarder on one or more target servers;
  • copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
  • restart Splunk on the target server.

at this point you should see the new clients on the DS.

now, on DS:

  • copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
  • on web gui create a ServerClass associating the target servers with the apps to deploy;
  • TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
  • remember to flag restart afte updated in all the apps.

Now you should have your Deployment Server Up and running.

For your knoledge, a TA must have the same folder structure of other apps:

  • bin,
  • default,
  • local,
  • metadata.

The files in TA_Forwarders must be three and must be in local or in default:

  • apps.conf (containing infos about the TA) see below,
  • outputs.conf (to address indexes), see below,
  • deploymentclient.conf (to address Deployment Server), see below.

Apps.conf:

#
# Splunk app configuration file
#

[install]
is_configured = 0

[ui]
is_visible = 1
label = TA_Forwarders

[launcher]
author = Giuseppe Cusello 
description = technocal Add-On to address all the clients
version = 1.0.0

Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):

[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>

[tcpout:<target_group>]
indexerDiscovery = <name>

[tcpout]
defaultGroup = <target_group>

Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=false

deploymentclient.conf:

[deployment-client]

[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089

Don't follow my notes, see the documentation on the top!

 Ciao,

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @,

Deployment Server is a dedicated server that has to have the standard Splunk stand alone server:

  • 12 CPUs,
  • 12 GB RAM,
  • 100 GB disk,
  • virtual server.

Deployment server can be only a stand alone server and there isn't a clustered version.

It isn't a Single Point of Failure because your architecture can run also without (for a limited time) it.

Remember to configure your DS to send its logs to the indexers as all the other Splunk servers.

More infos are at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

Ciao.

Giuseppe

0 Karma

vj_hawk21
Explorer

@gcusello Thanks for your response. Since i m setting up the deployment server for the first time, can you help me what the configurations we need to update in deployment server and indexers

0 Karma

gcusello
SplunkTrust
SplunkTrust

@vj_hawk21,

No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

in few words:

  • Install a Splunk server that forwarders its logs to indexers,
  • create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
  • install Universal Forwarder on one or more target servers;
  • copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
  • restart Splunk on the target server.

at this point you should see the new clients on the DS.

now, on DS:

  • copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
  • on web gui create a ServerClass associating the target servers with the apps to deploy;
  • TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
  • remember to flag restart afte updated in all the apps.

Now you should have your Deployment Server Up and running.

For your knoledge, a TA must have the same folder structure of other apps:

  • bin,
  • default,
  • local,
  • metadata.

The files in TA_Forwarders must be three and must be in local or in default:

  • apps.conf (containing infos about the TA) see below,
  • outputs.conf (to address indexes), see below,
  • deploymentclient.conf (to address Deployment Server), see below.

Apps.conf:

#
# Splunk app configuration file
#

[install]
is_configured = 0

[ui]
is_visible = 1
label = TA_Forwarders

[launcher]
author = Giuseppe Cusello 
description = technocal Add-On to address all the clients
version = 1.0.0

Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):

[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>

[tcpout:<target_group>]
indexerDiscovery = <name>

[tcpout]
defaultGroup = <target_group>

Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=false

deploymentclient.conf:

[deployment-client]

[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089

Don't follow my notes, see the documentation on the top!

 Ciao,

Giuseppe

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...