Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The deployment server did not find any clients

yin_guan
Explorer
‎12-30-2024 02:22 AM

Hello evereone

I encountered an issue, as shown in the image. I can see two machines in the MC's forwarder dashboard, but I don't see any machines in my forwarder management. 

I have added the following configuration to DS, but it still doesn't work after restarting

[indexAndForward]
index = true
selectiveIndexing = true

The deployment server and UF are both version 9.3.

What aspects should I check?

 

yin_guan_0-1735553921738.png

yin_guan_1-1735553940158.pngyin_guan_2-1735553985513.png

yin_guan_3-1735554008511.png

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2024 02:41 AM

Hi @yin_guan ,

at first, you don't need to locally index anything on the DS, so you can have :

[indexAndForward]
index = false

Then, did you checked if firewall route between UF and DS is open for the Management Port 8089 used by the DS ?

You can check it from the UF using telnet:

telnet 192.168.90.237 8089

Then, on the UF, I suppose that you configured outputs.conf in $SPLUNK_HOME/etc/system/local, is it true?

it's a best practice do not configure outputs.conf in $SPLUNK_HOME/etc/system/local, but in a dedicated add-on deployed using the DS.

At least, two or three minutes are required for the connection to the DS.

Ciao.

Giuseppe

0 Karma
Reply

yin_guan
Explorer
‎12-30-2024 06:36 PM

I found the problem, I needed to add the following to the inputs.conf file of UF, I don't know if this is a problem after the update or if it was also needed before, obviously when I typed it they showed

[default]
host = 192.168.90.233

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 11:18 PM
This is interesting! There should be $decideOnStartup$ (or something similar) as default, which gives you the current hostname when node / UF service has started.
Is this multi interface node or any issues with hostname or is there any inputs which set host name / ip?
0 Karma
Reply

yin_guan
Explorer
‎12-30-2024 11:52 PM

I'm not sure what caused it. Normally, it shouldn't be caused by the inputs.cof file. The previous MC/DS was a distributed indexer cluster management node, and after the restart, it became a single deployment server.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 12:31 AM
Wait a minute, are we talking about server side not UF side? And you have several server roles in one splunk instance? If then you must read this https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Manageyourdeployment and follow those restrictions what it has!
0 Karma
Reply

yin_guan
Explorer
‎12-31-2024 02:06 AM

It may be because my DS and CM are installed together. I need to test it further.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 02:20 AM
Based on that document DS + CM is not allowed (supported) combination in one server instance.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 05:10 AM

This has changed on 9.2 see https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers

If you have distributed environment where DS is not your only indexer you must follow above instructions.

Do you have look from internal logs (_internal and those _ds*) if there are any hints why those are not seen on DS's screens?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...