Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Newbie question: How to/Should I set up a deployment server in the docker compose trial

ccecvb
Engager
‎04-05-2025 12:40 AM

Hi, we just started testing/experimenting with Splunk.

Followed a Splunk4Rookies workshop but that focussed on the SPL and dashboards, not on ingesting data.

We got the docker-compose installation up and running.

I have installed a universal forwarder on a linux server and was able to send /var/log to the splunk install.

 

I find various post that state

* I should be using the Splunk Add-on for Unix and Linux

* it needs to be installed on the forwarder

* I should be using a deployment server instead of configuring locally on the linux server.

 

Looking for information on how to actually install a deployment server.
I seem to be going in circles between pages with old comments (pre 2016, https://community.splunk.com/t5/Deployment-Architecture/How-to-configure-a-deployment-server/m-p/131...) and broken links, or page explaining why I would need a deployment server.

Questions :

Do I need to bother with deployment server at this stage ? Is it really bad if I install "Splunk Add-on for Unix and Linux" locally ? and how do I actually locally, the insatt
Can you point me to a basic step by step explanation of how I can install a deployment server ?

This is intended for a test, can we add the deployment server capability to our Splunk server created with docker compose ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2025 12:56 AM

It's a tough question.

On the one hand - DS is another layer of complexity. And it's usually used when you have bigger environments and want to centralize managment of your forwarders.

On the other hand - fiddling manually with forwarders can teach you some bad practices. And - especially with standardized forwarders like the docker-based ones - it can be actually easier to manage the UFs with DS.

Anyway, DS is just a functionality of a Splunk Enterprise instance which you don't have to additionally "install". You can enable/disable it by setting

[global]

disabled = <boolean>
* Toggles the deployment server off and on.
* Set to true to disable.
* Default: false

in serverclass.conf

You can also enable it in WebUI.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ccecvb
Engager
‎04-06-2025 06:38 AM

Thank you for the quick responses.


@PickleRick Your answer makes it clear I should go with a deployment server. 

I'm still a bit confused, if the default is disable = false, shouldn't it already be enabled ?
./system/local/serverclass.conf exists but it is empty.


@isoutamo Our instance will be long lived

What I did

  • Changed  system/local/serverclass.conf to contain
    [global]

disabled = false

  • copied splunk-add-on-for-unix-and-linux_1000.tgz to /opt/splunk/etc/deployment-apps
  • added port 8089 to docker-compose.yml
  • docker compose down / up
  • opened port 8089  on our docker host firewall.

On the linux host I want to monitor I removed pre-exisitng local config and executed
/opt/splunkforwarder/bin/splunk set deploy-poll dockerhost:8089
/opt/splunkforwarder/bin/splunk stop
/opt/splunkforwarder/bin/splunk start

 

Initially I saw no difference but now /splunk/en-GB/manager/launcher/agent_management?tab=forwarders show my client.

 

Thank you

0 Karma
Reply
Solved! Jump to solution

ccecvb
Engager
‎04-05-2025 11:10 AM

Thank you for the quick and clear response. I'll try to activate the DS.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎04-05-2025 03:20 PM
On thing to consider, are your docker instances short or long lived? If those are short then it could be easier to manage those to adding needed splunk apps into image itself. But when those are long lived then you should use DS or other automated way to manage those apps.

As @PickleRick already said running DS on in docker is just adding those apps into deployment-apps folder and then serverclass as a separate app. Install and apply those should be automated if possible.
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2025 12:56 AM

It's a tough question.

On the one hand - DS is another layer of complexity. And it's usually used when you have bigger environments and want to centralize managment of your forwarders.

On the other hand - fiddling manually with forwarders can teach you some bad practices. And - especially with standardized forwarders like the docker-based ones - it can be actually easier to manage the UFs with DS.

Anyway, DS is just a functionality of a Splunk Enterprise instance which you don't have to additionally "install". You can enable/disable it by setting

[global]

disabled = <boolean>
* Toggles the deployment server off and on.
* Set to true to disable.
* Default: false

in serverclass.conf

You can also enable it in WebUI.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...