Deployment Architecture

Should we have Splunk deployment server and cluster master on the same instance? Recommendations please!

luhadia_aditya
Path Finder

Splunk Gurus!

We have multiple small splunk setups in our environment with 1 HFWD, 2 IDXers, 1 DS and 2 SHs (One being job server and another for REST API calls) as per the geographical locations.

And now we are moving them in to clusters (NOT multisite). So its like the 2 IDXers at California data center will be in a cluster with RF=2 and SF=1.

Now to have 1 master server for a cluster of 2 IDXers is not justifiable to business and hence we came up with a solution to have our DS to act as the cluster master too. So, we are going to use deployment server to deploy the apps on to the clients and we will use the configuration bundle method to push apps to the peer nodes so this DS instance will have dual duties.

More clearly, Config apps will be deployed from deployment -apps directory from DS to apps on to the DCs and configuration bundle will be pushed from master-apps from master node to slave-apps on to the peer node.

Is this a recommended approach ?

PS : We will eventually be moving in to multisite clustering too in near future.

0 Karma

riteshkrishnaja
New Member

How can we setup the splunk having one serachhead one indexer and forwarder.Steps would be highly appreciated .

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

In Clustering all apps to peers should be pushed from cluster master (master-apps directory).

You can push apps from deployment server to Cluster master (master-apps) and then have cluster master distribute to its peers. Yes, this will work.

But we don't recommend running Deployment Server and Cluster master on the same machine. As long as you run these on 2 different machines then we are good.

aalanisr26
Path Finder

I have the configuration that you mention, I have a deployment server, I created a serverclass for my clustermaster

in my clustermaster I changed the deploymentclient.conf to:
[deployment-client]
repositoryLocation = $SPLUNK_HOME/etc/master-apps
serverRepositoryLocationPolicy = rejectAlways

i'm getting the apps from the deployment server, but the problem I have is that for some reason the apps keep refreshing and refreshing, it looks like the checksum tries to find the apps from $SPLUNK_HOME/etc/apps and because the app is not there, gets another copy installs it on $SPLUNK_HOME/etc/master-apps,
do you have any suggestion?

0 Karma

strive
Influencer

This is what splunk says:

Important: A master node cannot do double duty as a peer node or a search node. The Splunk Enterprise instance that you enable as master node must perform only that single role. In addition, the master cannot share a machine with a peer.

Deployment server and clusters
Do not use deployment server with cluster peers.
The deployment server is not supported as a means to distribute configurations or apps to cluster peers. To distribute configurations across the set of cluster peers, instead use the configuration bundle method outlined in the topic "Update common peer configurations".
For information on how to migrate app distribution from deployment server to the configuration bundle method, see "Migrate apps to a cluster".

If you make your master as Deployment server then you will be using deployment server with cluster peers. For cluster peers the slave apps should be pushed by master node.

luhadia_aditya
Path Finder

First of all thanks for your answer and time.

Well, we are going to use deployment server to deploy the apps on to the clients and we will use the configuration bundle method to push apps to the peer nodes so this DS instance will have dual duties.

More clearly, Config apps will be deployed from deployment -apps directory from DS to apps on to the DCs and configuration bundle will be pushed from master-apps from master node to slave-apps on to the peer nodde.

Is this a recommended approach ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...