Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issue in Splunk Deployment Server Setup

naagaraj
Engager
‎02-20-2020 11:40 PM

Hi,

I am using a Splunk indexer as a deployment server. I have installed forwarders in about 15 machines and I am fetching the logs from these machines.

However after creating the server classes and deploying apps, only machines are phoning home. The other machines are not phoning home. Can you please help on identifying the issue behind this.

I have installed the splunk enterprise edition 8.x on a windows server 2016 and on trial license.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2020 12:17 AM

Hi @naagaraj,
at first, as you probably know, until 50 clients it's possible to use a non dedicated Deployment Server.

some question to understand:

  • at first, do you have all the 15 machines connected to the Deployment Server?
  • if you run index=_internal, how many hosts you have?
  • did you checked if the non sending servers have the same configuration of the others?

I'm specially speaking of two files:

  • outputs.conf,
  • deploymentclient.conf.

It's a good practice to put these files in a dedicated Technical Add-On (called e.g. TA_Forwarders) copied on servers at the first installation and then managed by the Deployment Server.

Ciao.
Giuseppe

0 Karma
Reply

naagaraj
Engager
‎02-21-2020 02:05 AM

Hi Giuseppe,

  • At first, do you have all the 15 machines connected to the Deployment Server? - Yes I had opened the ports 8089 and 9997 between the deployment server and 15 desktop machines.

  • if you run index=_internal, how many hosts you have? - I have only 3 hosts

  • did you checked if the non sending servers have the same configuration of the others? - Yes the non-sending receivers have the same outputs.conf and deploymentclient.conf configuration files.

Thanks,
Naagaraj SV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2020 02:45 AM

Hi @naagaraj,
sorry, I wasn't clear in the first question: how many clients do you see in [Settings -- Forwarder Management]?

Are they the same that you can find in _internal?

If yes, at first, check the routes between clients and the Splunk server using telnet from the clients

telnet IP_Splunk_Server 9997
telnet IP_Splunk_Server 8089

If you cannot connect, the problem is on firewall routes.

If instead, you see all the 15 clients in Forwarder Management but only three in _internal, the problem could be in connection on port 9997 (so check the connection with telnet on port 9997) otherwise the problem could be in Splunk configuration (outputs.conf).

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...