Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Required network openings for a distributed Splunk setup

mart10
Path Finder
‎10-11-2020 09:37 PM

I apologize if the title isn't very descriptive of the question I have, was not sure how to best frame it.

For a setup with numerous splunkforwarders forwarding to two indexing servers, and getting inputs/outputs from a deployment server, how is the network flow?

splunkforwarder -> splunk-index1/2 - is this forwarder-initiated?
splunk-master (deployment+cluster master) -> splunkforwarder - master or forwarder initiated for deployment of config/splunkd restarts?

I believe I found some information on this at some point, but that was for an older version and possibly outdated.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 01:11 AM
Yes, those are correct.

View solution in original post

Reply
Solved! Jump to solution

mart10
Path Finder
‎10-11-2020 11:15 PM

Thanks, just so I am sure I properly understand this:

splunkforwarder -> indexers # this is forwarder-polling/initiated on port 9997.
splunkforwarder -> deployment # this is also forwarder-polling/initiated, port 8089.
indexer/deployment/head -> license server # this is indexer/deployment/head-polling on port 8089.

So overall, splunkforwarders initiates every connection to their mothership. And splunk servers initiates connections to the license server.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 01:11 AM
Yes, those are correct.
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 10:07 PM

Hi @mart10 

splunk-master (deployment+cluster master) -> splunkforwarder - master or forwarder initiated for deployment of config/splunkd restarts? /// 

on Deployment server, when you make changes (to inputs.conf, etc), the changes will be sent to universal forwarders - In some cases, it deploys apps automatically. In other cases, you need to manually initiate the deployment.

https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Updateconfigurations

 

The phone home interval (that is, how frequently each client checks in with the deployment server for updates)

https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Calculatedeploymentserverperformance

phoneHomeIntervalInSecs = <number in seconds>
* Determines how frequently, in seconds, this deployment client should
  check for new content.
* Fractional seconds are allowed.
* Default: 60.
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Deploymentclientconf

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-11-2020 10:41 PM
Hi
here is diagram how nodes are connected together and which node is active on which connection.
https://docs.splunk.com/Documentation/Splunk/8.0.6/InheritedDeployment/Ports
r. Ismo
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...