Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are the risks of running a deployment server managing clustered indexers?

bradaltf4
New Member
‎05-20-2022 12:19 PM

This is a bit of a sanity check/what I don't know can still hurt me. I have a indexer cluster that has a couple large (>1GB) apps that need to be deployed also they are relatively static in their config changes. So I currently have those apps being deployed via a deployment server with the app set to not restart splunkd. This helps reduce bundle deployment and validation times. What risks/issues am I unaware of in running this setup? Besides the obvious peers may get restarted if that app ever gets changed to restart splunkd.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2022 12:52 PM

I think we have some terminology mixed up.  Indexer clusters are managed by the Cluster Manager, not by a Deployment Server.  If you send apps to indexers from a DS then what you have is not an indexer cluster.

If you have independent indexers managed by a DS then you are in good company.  The risk is with an indexer outage (like when a peer restarts).  Any search that runs while the indexer is down will get incomplete results.  A cluster, however, prevents that by having the data replicated on another indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bradaltf4
New Member
‎05-20-2022 01:38 PM

Meant to reply instead of posting a new comment.

 

Nope, my terminology isn't mixed up. I'm running both a cluster master to deploy apps from the master-apps directory to the peers and a deployment server to deploy a couple of large apps directly to the apps directory.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 10:41 PM

Hi @bradaltf4,

I'd like to add a consideration to the @richgalloway answer: why do you want to do this that surely doesn't run at the first restart (and restarting is mandatory in app installation)?

It'r definitively easier to manage your Indexers using a Master Node (It was created with this role!).

If yor need is to reduce bundle, probably the problem are the lookups, so you could blacklist some (or all) of them reducing the bundle dimension, solving the problem and maintaining the correct architecture.

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/DistSearch/Limittheknowledgebundlesize

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2022 05:00 PM

Interesting.  You don't have much company there.

There is risk involved if both the CM and DS push the same app.  Bad things can happen if an app is installed twice on the same instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top