Deployment Architecture

deployment server

hugocvg
Explorer

My splunk instance grew and now my deployment server is not enough.
I have 2 search heads, 4 indexers and 261 forwarders. My deployment server is located in the same server as indexer 1 since the instance at first was not so big. I need to know what should I take out of the server, the deployment server or the indexer and how?
THNKS

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If it's easy for you to modify the clients to point to a new address of the DS, then that will probably be easier. But you would have to have a way to change the settings of all 261 clients. If (only if) the location of the DS is not set in $SPLUNK_HOME/etc/system/local, but instead in an app, it's possible to push out a new app to use DS to update the clients, but this is a tricky thing to coordinate even assuming you're in a position to do it at all.

Otherwise, you could move your indexer. As yannK says, you can do it just by changing the Splunk ports, and then updating the two search heads, which is pretty easy. That still leaves both indexer and DS on the same server, but may be good enough to last you a bit longer though.

Finally, you can try to move the indexer to a new machine. There's a bit more config, and the data may take a while to move, but again, you would only need to update the two search heads, plus use Deployment server to update the forwarding targets of all the clients.

0 Karma

hugocvg
Explorer

Ok I think ill move my indexer to another box since I have 3 more indexers to handle the work load. Plus in order to save some time I can build my new indexer before I take down the one I need to take out

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

BTW, this is why we usually recommend using distinct host name aliases for each Splunk service, even if they're all running on the same instance of Splunk.

yannK
Splunk Employee
Splunk Employee

if you have a linux box, you could run a new instance of splunk on the same box to be the new deployment-server.
Change the ports in web.conf ( keep web 8000 for the indexer, and keep management port 8089 for the deployement-server) to avoid conflict.

That way the deployment-clients will continue to go to the same port, and you just have to update the search-head to point to the new management port of the search-peer.

If you are on windows .... install a new server.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...