Splunk Gurus!
We have multiple small splunk setups in our environment with 1 HFWD, 2 IDXers, 1 DS and 2 SHs (One being job server and another for REST API calls) as per the geographical locations.
And now we are moving them in to clusters (NOT multisite). So its like the 2 IDXers at California data center will be in a cluster with RF=2 and SF=1.
Now to have 1 master server for a cluster of 2 IDXers is not justifiable to business and hence we came up with a solution to have our DS to act as the cluster master too. So, we are going to use deployment server to deploy the apps on to the clients and we will use the configuration bundle method to push apps to the peer nodes so this DS instance will have dual duties.
More clearly, Config apps will be deployed from deployment -apps directory from DS to apps on to the DCs and configuration bundle will be pushed from master-apps from master node to slave-apps on to the peer node.
Is this a recommended approach ?
PS : We will eventually be moving in to multisite clustering too in near future.
How can we setup the splunk having one serachhead one indexer and forwarder.Steps would be highly appreciated .
In Clustering all apps to peers should be pushed from cluster master (master-apps directory).
You can push apps from deployment server to Cluster master (master-apps) and then have cluster master distribute to its peers. Yes, this will work.
But we don't recommend running Deployment Server and Cluster master on the same machine. As long as you run these on 2 different machines then we are good.
I have the configuration that you mention, I have a deployment server, I created a serverclass for my clustermaster
in my clustermaster I changed the deploymentclient.conf to:
[deployment-client]
repositoryLocation = $SPLUNK_HOME/etc/master-apps
serverRepositoryLocationPolicy = rejectAlways
i'm getting the apps from the deployment server, but the problem I have is that for some reason the apps keep refreshing and refreshing, it looks like the checksum tries to find the apps from $SPLUNK_HOME/etc/apps and because the app is not there, gets another copy installs it on $SPLUNK_HOME/etc/master-apps,
do you have any suggestion?
This is what splunk says:
Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single role. In addition, the master cannot share a machine with a peer.
Deployment server and clusters
Do not use deployment server with cluster peers.
The deployment server is not supported as a means to distribute configurations or apps to cluster peers. To distribute configurations across the set of cluster peers, instead use the configuration bundle method outlined in the topic "Update common peer configurations".
For information on how to migrate app distribution from deployment server to the configuration bundle method, see "Migrate apps to a cluster".
If you make your master as Deployment server then you will be using deployment server with cluster peers. For cluster peers the slave apps should be pushed by master node.
First of all thanks for your answer and time.
Well, we are going to use deployment server to deploy the apps on to the clients and we will use the configuration bundle method to push apps to the peer nodes so this DS instance will have dual duties.
More clearly, Config apps will be deployed from deployment -apps directory from DS to apps on to the DCs and configuration bundle will be pushed from master-apps from master node to slave-apps on to the peer nodde.
Is this a recommended approach ?