Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Required network openings for a distributed Splunk setup

mart10
Path Finder
‎10-11-2020 09:37 PM

I apologize if the title isn't very descriptive of the question I have, was not sure how to best frame it.

For a setup with numerous splunkforwarders forwarding to two indexing servers, and getting inputs/outputs from a deployment server, how is the network flow?

splunkforwarder -> splunk-index1/2 - is this forwarder-initiated?
splunk-master (deployment+cluster master) -> splunkforwarder - master or forwarder initiated for deployment of config/splunkd restarts?

I believe I found some information on this at some point, but that was for an older version and possibly outdated.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 01:11 AM
Yes, those are correct.

View solution in original post

Reply
Solved! Jump to solution

mart10
Path Finder
‎10-11-2020 11:15 PM

Thanks, just so I am sure I properly understand this:

splunkforwarder -> indexers # this is forwarder-polling/initiated on port 9997.
splunkforwarder -> deployment # this is also forwarder-polling/initiated, port 8089.
indexer/deployment/head -> license server # this is indexer/deployment/head-polling on port 8089.

So overall, splunkforwarders initiates every connection to their mothership. And splunk servers initiates connections to the license server.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 01:11 AM
Yes, those are correct.
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 10:07 PM

Hi @mart10 

splunk-master (deployment+cluster master) -> splunkforwarder - master or forwarder initiated for deployment of config/splunkd restarts? /// 

on Deployment server, when you make changes (to inputs.conf, etc), the changes will be sent to universal forwarders - In some cases, it deploys apps automatically. In other cases, you need to manually initiate the deployment.

https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Updateconfigurations

 

The phone home interval (that is, how frequently each client checks in with the deployment server for updates)

https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Calculatedeploymentserverperformance

phoneHomeIntervalInSecs = <number in seconds>
* Determines how frequently, in seconds, this deployment client should
  check for new content.
* Fractional seconds are allowed.
* Default: 60.
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-11-2020 10:41 PM
Hi
here is diagram how nodes are connected together and which node is active on which connection.
https://docs.splunk.com/Documentation/Splunk/8.0.6/InheritedDeployment/Ports
r. Ismo
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...