- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to set up new deployment server in a clustered...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Team,
We have a search head cluster and indexer cluster in our current Splunk environment. We don't have a deployment server and we decided to set up a new one.
What are all the pre-requests that should be considered, since our current environment is on a clustering model?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ @vj_hawk21,
No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver
in few words:
- Install a Splunk server that forwarders its logs to indexers,
- create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
- install Universal Forwarder on one or more target servers;
- copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
- restart Splunk on the target server.
at this point you should see the new clients on the DS.
now, on DS:
- copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
- on web gui create a ServerClass associating the target servers with the apps to deploy;
- TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
- remember to flag restart afte updated in all the apps.
Now you should have your Deployment Server Up and running.
For your knoledge, a TA must have the same folder structure of other apps:
- bin,
- default,
- local,
- metadata.
The files in TA_Forwarders must be three and must be in local or in default:
- apps.conf (containing infos about the TA) see below,
- outputs.conf (to address indexes), see below,
- deploymentclient.conf (to address Deployment Server), see below.
Apps.conf:
#
# Splunk app configuration file
#
[install]
is_configured = 0
[ui]
is_visible = 1
label = TA_Forwarders
[launcher]
author = Giuseppe Cusello
description = technocal Add-On to address all the clients
version = 1.0.0Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):
[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>
[tcpout:<target_group>]
indexerDiscovery = <name>
[tcpout]
defaultGroup = <target_group>Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]
[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=falsedeploymentclient.conf:
[deployment-client]
[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089Don't follow my notes, see the documentation on the top!
Ciao,
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @,
Deployment Server is a dedicated server that has to have the standard Splunk stand alone server:
- 12 CPUs,
- 12 GB RAM,
- 100 GB disk,
- virtual server.
Deployment server can be only a stand alone server and there isn't a clustered version.
It isn't a Single Point of Failure because your architecture can run also without (for a limited time) it.
Remember to configure your DS to send its logs to the indexers as all the other Splunk servers.
More infos are at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello Thanks for your response. Since i m setting up the deployment server for the first time, can you help me what the configurations we need to update in deployment server and indexers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ @vj_hawk21,
No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver
in few words:
- Install a Splunk server that forwarders its logs to indexers,
- create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
- install Universal Forwarder on one or more target servers;
- copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
- restart Splunk on the target server.
at this point you should see the new clients on the DS.
now, on DS:
- copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
- on web gui create a ServerClass associating the target servers with the apps to deploy;
- TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
- remember to flag restart afte updated in all the apps.
Now you should have your Deployment Server Up and running.
For your knoledge, a TA must have the same folder structure of other apps:
- bin,
- default,
- local,
- metadata.
The files in TA_Forwarders must be three and must be in local or in default:
- apps.conf (containing infos about the TA) see below,
- outputs.conf (to address indexes), see below,
- deploymentclient.conf (to address Deployment Server), see below.
Apps.conf:
#
# Splunk app configuration file
#
[install]
is_configured = 0
[ui]
is_visible = 1
label = TA_Forwarders
[launcher]
author = Giuseppe Cusello
description = technocal Add-On to address all the clients
version = 1.0.0Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):
[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>
[tcpout:<target_group>]
indexerDiscovery = <name>
[tcpout]
defaultGroup = <target_group>Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]
[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=falsedeploymentclient.conf:
[deployment-client]
[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089Don't follow my notes, see the documentation on the top!
Ciao,
Giuseppe
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
