Deployment Architecture

RPM for splunk light forwarder...

balbano
Contributor

Hi,

I realize that splunk and splunk light forwarder are apart of the same package RPM since light forwarder is just disabled by default. But has anyone ever tried to repackage the existing splunk rpm and make it as to where splunk light forwarder is set to enabled by default?

If that's not a real good idea can you let me know whats the best way to quickly roll out splunk light forwarder to 500+ servers?

I also know you can use the deployment server/client model but to my knowledge it will only control the config distribution.

Any help you can provide would be of much help.

Thanks.

Brian A

1 Solution

balbano
Contributor

We created a custom RPM which simply had the deploymentclient.conf file so that once splunk was installed it would phone home to the deployment server and pull the configs that would turn it into a Splunk Light Forwarder. It is pretty easy and the transition from Splunk Full Version to Light Forwarder is rather quick.

Also to help further minimize the forwarder footprint... we modified log.cfg to retain only 1 backup file as opposed to the default 5 backup files.

Thanks for all of the ideas.

Brian

View solution in original post

balbano
Contributor

We created a custom RPM which simply had the deploymentclient.conf file so that once splunk was installed it would phone home to the deployment server and pull the configs that would turn it into a Splunk Light Forwarder. It is pretty easy and the transition from Splunk Full Version to Light Forwarder is rather quick.

Also to help further minimize the forwarder footprint... we modified log.cfg to retain only 1 backup file as opposed to the default 5 backup files.

Thanks for all of the ideas.

Brian

jrodman
Splunk Employee
Splunk Employee

You could create your own tar or rpm of a splunk configured a certain way if you're facile with RPM. If you're not facile with RPM, then this approach is unlikely to be fruitful. Generally, I recommend investing in any deployment strategy you already use.

If you'd like a package that deploys splunk as a light forwarder in some fashion, feel free to lob an official enhancement request our way, but still you'd have to tell the forwarder where to forward to get a complete setup, so I'm not sure it would be useful.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Our first-time startup is interactive, so you'd have to package the system post-first-time-run. However, that gets into problems where we store the hostname in configfiles. All of this is due to be more fully enabled in 4.2.

0 Karma

balbano
Contributor

Hi jrodman, I was able to get a custom RPM installed but was curious to see if it was possible to add 2 specs to the rpm:

  1. have the startup scripts automatically install upon rpm installation

AND

  1. Have the Splunk Environment Variable set to /usr/local/bin so that you can run the splunk command without having to type $Splunk_Home/bin/splunk...

Is that possible? If so what would need to be done? Any help you can provide would be great. Thanks.

Brian

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This will probably help:

http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windo...

It references Windows, but in fact much of it is applicable to any platform. Basically, you figure out the desired final configuration files and lay them on top of the install/RPM. All Splunk configuration (whether you set it via the GUI or the CLI) is stored and read from the configuration files.

0 Karma

Mick
Splunk Employee
Splunk Employee

Hi there.

Splunk are planning on shipping a 'LightForwarder' package in a future release, but that is likely to come along with the next major release. We have just released 4.1, which means our next major release will likely be close to the end of the year, but no target date has been set yet.

Currently, the recommended deployment method for this many servers is to use a deployment tool such as Puppet to handle the initial Splunk installation and configuration with a CLI command. You can enable both the SplunkLightForwarder app and the deployment client functionality using this method.

The commands to set up forwarding are detailed here and the commands for the deployment client feature are here

dwaddle
SplunkTrust
SplunkTrust

CFEngine is another good option as well

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...