Deployment Architecture

Recommended sizing for deployment server?

rolltide
Engager

We have a deployment server as an instance of a search head. How many clients can a deployment server can handle?

0 Karma

jimodonald
Contributor

The DS is a single-threaded application and does not scale well vertically. Adding more CPU/Memory to a DS is not going to help much. You'll need about 1 DS per (approximately) 5000 hosts. and you'll want to put them behind a load balancer.

the hardware requirements are pretty low. we have our sized at 8CPU/32GB of memory, but you can likely use smaller servers. I would recommend testing various sizing configs to see what works well for your environment.

M_Radoszewski
Explorer

So for 100k forwarders that is 20 servers minimum, which doesn't sound even remotely maintainable assuming each of them will have a different set of configurations. Correct me if I am wrong, but this ultimately renders deployment servers useless and forces larger organisations to use different automated deployment tools, right?

0 Karma

jimodonald
Contributor

with that many forwarders, you should be (IMHO) using GIT for managing your configs. and then you deploy the entire set of configs to all of the DS. think of managing them as a whole.

And with a deployment of that size, you should be talking to your Splunk Field Architect.

ChrisG
Splunk Employee
Splunk Employee

If you are deploying to more than 50 clients, your deployment server needs to be a separate Splunk Enterprise instance.

A dedicated deployment server can handle thousands of clients. There are numerous things to consider. See Estimate deployment server performance in Updating Splunk Enterprise Instances.

M_Radoszewski
Explorer

The problem is - this is only suitable for small environments (up to 2000 forwarders). There are some environments out there that are 40+ times larger then covered in this document.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...