Solved: How to set up new deployment server in a clustered...

vj_hawk21 · ‎08-18-2020

Team,

We have a search head cluster and indexer cluster in our current Splunk environment. We don't have a deployment server and we decided to set up a new one.

What are all the pre-requests that should be considered, since our current environment is on a clustering model?

Thanks.

gcusello · ‎08-19-2020

@ @vj_hawk21,

No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

in few words:

Install a Splunk server that forwarders its logs to indexers,
create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
install Universal Forwarder on one or more target servers;
copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
restart Splunk on the target server.

at this point you should see the new clients on the DS.

now, on DS:

copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
on web gui create a ServerClass associating the target servers with the apps to deploy;
TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
remember to flag restart afte updated in all the apps.

Now you should have your Deployment Server Up and running.

For your knoledge, a TA must have the same folder structure of other apps:

bin,
default,
local,
metadata.

The files in TA_Forwarders must be three and must be in local or in default:

apps.conf (containing infos about the TA) see below,
outputs.conf (to address indexes), see below,
deploymentclient.conf (to address Deployment Server), see below.

Apps.conf:

#
# Splunk app configuration file
#

[install]
is_configured = 0

[ui]
is_visible = 1
label = TA_Forwarders

[launcher]
author = Giuseppe Cusello 
description = technocal Add-On to address all the clients
version = 1.0.0

Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):

[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>

[tcpout:<target_group>]
indexerDiscovery = <name>

[tcpout]
defaultGroup = <target_group>

Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=false

deploymentclient.conf:

[deployment-client]

[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089

Don't follow my notes, see the documentation on the top!

Ciao,

Giuseppe

View solution in original post

gcusello · ‎08-19-2020

Hi @,

Deployment Server is a dedicated server that has to have the standard Splunk stand alone server:

12 CPUs,
12 GB RAM,
100 GB disk,
virtual server.

Deployment server can be only a stand alone server and there isn't a clustered version.

It isn't a Single Point of Failure because your architecture can run also without (for a limited time) it.

Remember to configure your DS to send its logs to the indexers as all the other Splunk servers.

More infos are at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

Ciao.

Giuseppe

vj_hawk21 · ‎08-19-2020

@gcusello Thanks for your response. Since i m setting up the deployment server for the first time, can you help me what the configurations we need to update in deployment server and indexers

gcusello · ‎08-19-2020

@ @vj_hawk21,

No settings on Indexers, follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver

in few words:

Install a Splunk server that forwarders its logs to indexers,
create the TA_Forwarders containing outputs.conf and deploymentclient.conf;
install Universal Forwarder on one or more target servers;
copy the TA_Forwarders on the target servers at $SPLUNK_HOME/etc/apps;
restart Splunk on the target server.

at this point you should see the new clients on the DS.

now, on DS:

copy the TA_Forwarders and all the apps to deploy on it at $SPLUNK_HOME/etc/deployment-apps;
on web gui create a ServerClass associating the target servers with the apps to deploy;
TA_Forwarders, must be in all ServerClasses you create, or you can create a dedicated ServerClass containing all the target servers;
remember to flag restart afte updated in all the apps.

Now you should have your Deployment Server Up and running.

For your knoledge, a TA must have the same folder structure of other apps:

bin,
default,
local,
metadata.

The files in TA_Forwarders must be three and must be in local or in default:

apps.conf (containing infos about the TA) see below,
outputs.conf (to address indexes), see below,
deploymentclient.conf (to address Deployment Server), see below.

Apps.conf:

#
# Splunk app configuration file
#

[install]
is_configured = 0

[ui]
is_visible = 1
label = TA_Forwarders

[launcher]
author = Giuseppe Cusello 
description = technocal Add-On to address all the clients
version = 1.0.0

Outputs.conf (if you have Indexer Discovery enabled on Indexers' Cluster):

[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>

[tcpout:<target_group>]
indexerDiscovery = <name>

[tcpout]
defaultGroup = <target_group>

Outputs.conf (if you haven't Indexer Discovery enabled on Indexers' Cluster):

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xx.xx.xx:9997]
[tcpout-server://yy.yy.yy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xx.xx.xx:9997,yy.yy.yy.yy:9997
disabled=false

deploymentclient.conf:

[deployment-client]

[target-broker:deploymentServer]
targetUri= zz.zz.zz.zz:8089

Don't follow my notes, see the documentation on the top!

Ciao,

Giuseppe

How to set up new deployment server in a clustered environment?

deployment server

indexer clustering

search head clustering

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting