Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What are some best practices for deploying new Splunk cluster step-by-step?

splunkreal
Motivator
‎03-23-2022 09:14 AM

Hello guys,

I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?

 

1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits

2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles

3. Configure Master Node (cluster master) on separate server

4. Configure peers, connect them to the MN

5. Configure search heads, connect them to the MN

6. Configure Universal forwarders

 

Thanks.

* If this helps, please upvote or accept solution 🙂 *
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-23-2022 01:03 PM

I don't agree that HF must be run as root. It doesn't need it.

0 Karma
Reply

splunkreal
Motivator
‎03-23-2022 03:46 PM

If you need to open 514 port?

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-24-2022 01:10 AM

Yes, but that's not unique to HF. You can use UF to receive data on raw tcp/udp port. And still you can just open another, higher port, like 1514, 6514 or whatever. And even better - use a separate syslog-collecting layer like sc4s or rsyslog and send data to HEC from there.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2022 09:42 AM

Hi @splunkreal,

yes the process is correct, only three things:

  • I'd add also the forwarding of all logs from all servers to the Indexers,
  • if the Deployment Servers has to manage more than 50 clients, it must be on a dedicated server,
  • if you have Heavy Forwarders, you have to install and configire them before Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Reply

venky1544
Builder
‎03-23-2022 09:41 AM

Hi @splunkreal 

I guess this for your practise right the flow is correct

however i would not recommend deployment server and license server setup one one server if you have more than 50 clients where UF needs to be installed  however for  low volume deployment server is OK to be clubbed 

try this link for reference 

(http://wiki.splunk.com/Deploy:DeploymentServer

 http://wiki.splunk.com/Things_I_wish_I_knew_then

and also if you are configuring masternode  step 4 and 5 should have sub steps indexer clustering and SH clustering  

If you find the answer helpful, an karma is appreciated

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...