Deployment Architecture

What are some best practices for deploying new Splunk cluster step-by-step?

splunkreal
Motivator

Hello guys,

I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?

 

1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits

2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles

3. Configure Master Node (cluster master) on separate server

4. Configure peers, connect them to the MN

5. Configure search heads, connect them to the MN

6. Configure Universal forwarders

 

Thanks.

* If this helps, please upvote or accept solution 🙂 *
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I don't agree that HF must be run as root. It doesn't need it.

0 Karma

splunkreal
Motivator

If you need to open 514 port?

* If this helps, please upvote or accept solution 🙂 *
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes, but that's not unique to HF. You can use UF to receive data on raw tcp/udp port. And still you can just open another, higher port, like 1514, 6514 or whatever. And even better - use a separate syslog-collecting layer like sc4s or rsyslog and send data to HEC from there.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkreal,

yes the process is correct, only three things:

  • I'd add also the forwarding of all logs from all servers to the Indexers,
  • if the Deployment Servers has to manage more than 50 clients, it must be on a dedicated server,
  • if you have Heavy Forwarders, you have to install and configire them before Universal Forwarders.

Ciao.

Giuseppe

0 Karma

venky1544
Builder

Hi @splunkreal 

I guess this for your practise right the flow is correct

however i would not recommend deployment server and license server setup one one server if you have more than 50 clients where UF needs to be installed  however for  low volume deployment server is OK to be clubbed 

try this link for reference 

(http://wiki.splunk.com/Deploy:DeploymentServer

 http://wiki.splunk.com/Things_I_wish_I_knew_then

and also if you are configuring masternode  step 4 and 5 should have sub steps indexer clustering and SH clustering  

If you find the answer helpful, an karma is appreciated

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...