Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to create a cluster for the master or deployment server?

graciellamauri
New Member
‎11-11-2022 06:23 AM

Does anyone know if it's possible to create a cluster for the deployment server or the master server?

I´m asking this because we could go to DR more easily in case of datacenter change, tests or disasters. Also our deployment server is quite slow (we have more than 5000 universal forwarders). I think a deployment server cluster could solve this  issue.

Anyone have any idea? Is it possible? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2022 06:53 AM

The Cluster Manager (Splunk no longer prefers the term "master") supports a backup process as of version 9.0.0.  See https://docs.splunk.com/Documentation/Splunk/9.0.0/Indexer/CMredundancy for more information.

As of now, there is such capability for deployment servers.  Some sites maintain a warm backup DS and have clients connect to it using a DNS name.  In the event of a failover, they just need to change the DNS  entry and clients will start talking to the new server.  Synchronization of the configuration between DS servers is problem each site solves on its own.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-11-2022 06:45 AM

Hi @graciellamauri,

the answer is not to both your roles:

at first because you system continues to work also in case of fault of both these servers, so they aren't a Single Point of Failure.

then because for these roles Splunk doesn't permits a cluster.

You can check this position also at https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf 

If you's Deplument server is overloaded, the easiest approach is to give hime more resources, e.g. instead of 12 CPUs and 12 GB RAM you could give it 24 CPUs and 24 GB RAM.

You could also use two or more DSs, but you have to create a cascade configuration so one or more DSs are client of the main DS.

it isn't a so complicated configuration but it must be done, for this reason I hinted to give more resources; in every case, it isn't a problem if it's slow, because it's role is only to check Forwarders' configurations and eventualy push the updates, not other.

Instead Master Node must be unique, you eventually could have a cold copy of it to start in case of fault, but it isn't mandatory because you system will continue to work as usual also without it, the only limit is that buckets aren't replicated.

If you see that you Master Nodei is overloaded (you can check this only using the Monitoring Console), also in this case, give it more resources.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...