Deployment Architecture

Setting up Deployment Server to manage multiple instances on a single server

ShaneNewman
Motivator

Just to explain why I have to do this...

Rack space is at a premium where I work so we had to consolidate our footprint in the data center. I have successfully consolidated 14 physical indexers to 7 physical indexers with 2 instances of Splunk running on each server. Specs for those Indexing servers are:
OS: Linux Red Hat
CPU: 16-core 3.2 GHz
RAM: 128GB
HDD: SAN attached, 3 mounts per instance at 3500 IOPS per mount

I am trying to setup the serverclass.conf file to manage the instances on the indexers separately because the mount points for the indexes are different based on the instance name. How can I do this? I have read the serverclass.conf documentation and cannot find it documented in there anywhere...

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Are you asking how to distinguish two instances on the same machine?
If so, set a clientName each in deploymentclient.conf and refer to that in your serverclass.conf - those are matched first.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Are you asking how to distinguish two instances on the same machine?
If so, set a clientName each in deploymentclient.conf and refer to that in your serverclass.conf - those are matched first.

jrodman
Splunk Employee
Splunk Employee

As a footnote, I would strongly encourage setting the etc/system/local/server.conf serverName= of one of the two to be different from the other, and consider also differentiating etc/system/local/inputs.conf host= (unless you really want to make data from both systems indistinguishable).

ShaneNewman
Motivator

I have already done these things. The Universal forwarder is part of our Linux image so all system data comes in through that route. The server.conf have the images setup in this fashion: serverName = host_instance. The indexers only receive data from Splunk UF's, each instance is listening on a different port so an inputs.conf entry should not be necessary.

0 Karma

ShaneNewman
Motivator

That is exactly what I needed to know! Thank you for responding so quickly!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...