Deployment Architecture

Issue in Splunk Deployment Server Setup

Engager

Hi,

I am using a Splunk indexer as a deployment server. I have installed forwarders in about 15 machines and I am fetching the logs from these machines.

However after creating the server classes and deploying apps, only machines are phoning home. The other machines are not phoning home. Can you please help on identifying the issue behind this.

I have installed the splunk enterprise edition 8.x on a windows server 2016 and on trial license.

Thanks

0 Karma

Legend

Hi @naagaraj,
at first, as you probably know, until 50 clients it's possible to use a non dedicated Deployment Server.

some question to understand:

  • at first, do you have all the 15 machines connected to the Deployment Server?
  • if you run index=_internal, how many hosts you have?
  • did you checked if the non sending servers have the same configuration of the others?

I'm specially speaking of two files:

  • outputs.conf,
  • deploymentclient.conf.

It's a good practice to put these files in a dedicated Technical Add-On (called e.g. TA_Forwarders) copied on servers at the first installation and then managed by the Deployment Server.

Ciao.
Giuseppe

0 Karma

Engager

Hi Giuseppe,

  • At first, do you have all the 15 machines connected to the Deployment Server? - Yes I had opened the ports 8089 and 9997 between the deployment server and 15 desktop machines.

  • if you run index=_internal, how many hosts you have? - I have only 3 hosts

  • did you checked if the non sending servers have the same configuration of the others? - Yes the non-sending receivers have the same outputs.conf and deploymentclient.conf configuration files.

Thanks,
Naagaraj SV

0 Karma

Legend

Hi @naagaraj,
sorry, I wasn't clear in the first question: how many clients do you see in [Settings -- Forwarder Management]?

Are they the same that you can find in _internal?

If yes, at first, check the routes between clients and the Splunk server using telnet from the clients

telnet IP_Splunk_Server 9997
telnet IP_Splunk_Server 8089

If you cannot connect, the problem is on firewall routes.

If instead, you see all the 15 clients in Forwarder Management but only three in _internal, the problem could be in connection on port 9997 (so check the connection with telnet on port 9997) otherwise the problem could be in Splunk configuration (outputs.conf).

Ciao.
Giuseppe

0 Karma