Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

deployment server

hugocvg
Explorer
‎03-01-2013 05:46 PM

My splunk instance grew and now my deployment server is not enough.
I have 2 search heads, 4 indexers and 261 forwarders. My deployment server is located in the same server as indexer 1 since the instance at first was not so big. I need to know what should I take out of the server, the deployment server or the indexer and how?
THNKS

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-02-2013 01:17 PM

If it's easy for you to modify the clients to point to a new address of the DS, then that will probably be easier. But you would have to have a way to change the settings of all 261 clients. If (only if) the location of the DS is not set in $SPLUNK_HOME/etc/system/local, but instead in an app, it's possible to push out a new app to use DS to update the clients, but this is a tricky thing to coordinate even assuming you're in a position to do it at all.

Otherwise, you could move your indexer. As yannK says, you can do it just by changing the Splunk ports, and then updating the two search heads, which is pretty easy. That still leaves both indexer and DS on the same server, but may be good enough to last you a bit longer though.

Finally, you can try to move the indexer to a new machine. There's a bit more config, and the data may take a while to move, but again, you would only need to update the two search heads, plus use Deployment server to update the forwarding targets of all the clients.

0 Karma
Reply

hugocvg
Explorer
‎03-04-2013 01:33 PM

Ok I think ill move my indexer to another box since I have 3 more indexers to handle the work load. Plus in order to save some time I can build my new indexer before I take down the one I need to take out

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-02-2013 01:18 PM

BTW, this is why we usually recommend using distinct host name aliases for each Splunk service, even if they're all running on the same instance of Splunk.

Reply

yannK
Splunk Employee
Splunk Employee
‎03-02-2013 08:00 AM

if you have a linux box, you could run a new instance of splunk on the same box to be the new deployment-server.
Change the ports in web.conf ( keep web 8000 for the indexer, and keep management port 8089 for the deployement-server) to avoid conflict.

That way the deployment-clients will continue to go to the same port, and you just have to update the search-head to point to the new management port of the search-peer.

If you are on windows .... install a new server.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...