Deployment Architecture

What are some best practices for deploying new Splunk cluster step-by-step?


Hello guys,

I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?


1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits

2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles

3. Configure Master Node (cluster master) on separate server

4. Configure peers, connect them to the MN

5. Configure search heads, connect them to the MN

6. Configure Universal forwarders



Tags (2)
0 Karma

Ultra Champion

I don't agree that HF must be run as root. It doesn't need it.

0 Karma


If you need to open 514 port?

0 Karma

Ultra Champion

Yes, but that's not unique to HF. You can use UF to receive data on raw tcp/udp port. And still you can just open another, higher port, like 1514, 6514 or whatever. And even better - use a separate syslog-collecting layer like sc4s or rsyslog and send data to HEC from there.

0 Karma


Hi @realsplunk,

yes the process is correct, only three things:

  • I'd add also the forwarding of all logs from all servers to the Indexers,
  • if the Deployment Servers has to manage more than 50 clients, it must be on a dedicated server,
  • if you have Heavy Forwarders, you have to install and configire them before Universal Forwarders.



0 Karma


Hi @realsplunk 

I guess this for your practise right the flow is correct

however i would not recommend deployment server and license server setup one one server if you have more than 50 clients where UF needs to be installed  however for  low volume deployment server is OK to be clubbed 

try this link for reference 


and also if you are configuring masternode  step 4 and 5 should have sub steps indexer clustering and SH clustering  

If you find the answer helpful, an karma is appreciated

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...