Deployment Architecture

search head cluster

kobi
Loves-to-Learn Lots

Hi all

Is there a way to use one deploy server to push app to 2 different search head clusters?

for example I have search head cluster named site1 and I want to install a new search head cluster named site2

then push to site1 some apps, and to push a different apps to site 2, so I can control which app will be pushed to each site

  

Labels (1)
0 Karma

JohnEGones
Communicator

This was an issue I struggled with a bit at first, and while the Splunk team is very excellent, there own perspective is not always intuitive with respect to naming and function.

Splunk DOCs describe the following about the deployment server, in particular the deployment clients have a defined deployment server that manages the configurations that are pushed out to it see the following:

Plan a deployment - Splunk Documentation


"

Deployment server and clusters

You cannot use the deployment server to update indexer cluster peer nodes or search head cluster members.

Indexer clusters

Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method. You can, however, use the deployment server to distribute updates to the manager node, which then uses the configuration bundle method to distribute them to the peer nodes. See "Update common peer configurations" in the Managing Indexers and Clusters of Indexers manual.

Search head clusters

Do not use deployment server to update search head cluster members.

The deployment server is not supported as a means to distribute configurations or apps to cluster members. To distribute configurations across the set of members, you must use the search head cluster deployer. See "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual."

 


The reference for respective configuring is here:

Deploying Apps:

Use the deployer to distribute apps and configuration updates - Splunk Documentation
(see this section: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Depl...)

By contrast, apps and configurations are managed by the deployment server, here:

Create deployment apps - Splunk Documentation

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kobi ,

as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster, 

you must use a SHC-Deployer.

You eventually could push the apps from the DS to the SHD-Deployer and after it deployes apps to the Cluster.

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahhhh. yes. The usual confusion between Deployer and Deployment Server (I read "deploy server" as Deployer, you read it - probably good - as DS).

This naming is confusing, especially for newbies.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. Each SHC needs own deployer. But the deployer does not do much so it doesn't have to be a big machine.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This is not exactly true. You could have several SHCs which are using the same deployer, BUT then all those must have same apps! So you cannot have on Deployer and several SHCs with different apps.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

True. Strictly theoretically, you could use the same deployer to deploy apps to multiple SHCs but they would have to not only have the same apps but also the same push modes, shared secret and so on. Generally, it's much more trouble than it's worth. Just stick to a deployer per SHC. Especially considering that deployer instances don't need to be big.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...