Managing Universal Forwarders and Indexers hosts

imosquera · ‎07-16-2013

What is the best way to manage universal forwarders and indexers at scale?

By this I mean, If I have 10 indexers today, I specify those on the universal forwarders configuration (outputs.conf). If I add 3 new indexers will have to update every universal forwarder in my site?

This could be upwards to 200 machines running the universal forwarders that would need an update. I've read a few times that using a loadbalancer is not a good solution to reduce the overhead of managing the indexers list.

What is the best way to manage the indexers list and configuration on the forwarders?

srioux · ‎07-16-2013

Probably best to use a Deployment Server to manage outputs.conf across all your indexers. Just build it as part of a deployed app.

Lots of documentation on using a deployment server:

[http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Aboutdeploymentserver][1]

Managing Universal Forwarders and Indexers hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation

Managing Universal Forwarders and Indexers hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...