Deployment Architecture

Possible combinations of Splunk Instances with different Roles

christian_l
Path Finder

Hi all,

I'm often facing the question in which way Splunk Instances with different Roles can be combined - especially in huge and complex landscapes like with Index- and Searchhead-Clusters. Means for example can a deployer be the same Splunk-Instance as the Cluster-Master? Can the Deployment-Server also be the License Server? and so on ...
I tried to put this in a simple scheme, allowing to give a quick answer.
My approach can be seen within the attached picture:
possible Splunk combinations

Sources for these results are some simple tests, experience and the following sources:

  1. https://answers.splunk.com/answers/150606/should-we-have-splunk-deployment-server-and-cluster-master...
  2. https://answers.splunk.com/answers/96197/any-know-issues-with-deployment-server-and-master-on-same-m...
  3. https://answers.splunk.com/answers/302606/what-is-the-best-way-to-combine-a-license-master-d.html
  4. http://docs.splunk.com/Documentation/Splunk/6.2.8/Admin/ConfiguretheMonitoringConsole

The yellow field is based on the fact the sources 1. and 2. conflict with source 3.

How are your experiences regarding these combinations? Could you false or proof my experience?

To be honest when started developing the above Matrix I realized it wasn't that trivial as I initially thought, but maybe we can build a reliable version of this together. I assume this could be helpful for some of the "Splunkers in the wild" 🙂

Regards,
Christian

biowfish
Engager

Hi, just in case someone finds this old thread and want to utilize.

The "all green" picture covers technical perspective of working platform - so yeah you can combine the roles as you want, but there are "suggestions" by splunk not to do so and even one more aspect which I do not see covered anywhere - and that is updating.

There is often very specific sequence of updating instances required to follow in order to successfully update distributed environments without service interuption and that is where you can found roadblock if you combine it badly.

0 Karma

christian_l
Path Finder

Hi all,

I just wanted to update this topic with at least one sentence which should give the answer to my above question:
It' all about performance!
From technical side - based on my experience - each of the mentioned Splunk Roles can be assigned to the same instance, as long as you don't care on performance. This results in the following picture:

alt text

Any concerns? Feedback? Corrections?

0 Karma

ykou_splunk
Splunk Employee
Splunk Employee

1 and 2 are not really conflicting with 3. The reason people recommend to host deployment server on a separate machine is because performance (as 2 described). So technically you can host deployment server, cluster master and deployer all together, but you would need a powerful machine.

Not sure why there's a red field, you should be able to host deployment server and deployer together.

0 Karma

christian_l
Path Finder

Hey ykou,

thanks for the hint. I should have mentioned I want to exclude the performance thoughts on this list. If we look on performance I assume recommendation is to have each role on a separate instance.
Regarding the red one, I maybe have misinterpreted a documentation or answer. This red field maybe appeared base on the fact you shouldn't use deployment-server with Searchhead-Cluster peers ... I'll proof this again.

0 Karma

ykou_splunk
Splunk Employee
Splunk Employee

To clarify a bit more, deployer is not a search head cluster member, it is a separate instance which talks to all the search head cluster members.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...