Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Identify number of deployment server clients?

Jnewman28
Explorer
‎04-19-2021 01:00 PM

When looking to update a deployment enterprise instances, we are exploring using a deployment server.

Splunk documentation says the below:

"When provisioning a deployment server, note the following:

  • If it will be deploying to more than 50 clients, the deployment server must run on a dedicated Splunk Enterprise instance. The instance cannot double as an indexer or search head."

Is this below command the way to view the number of clients?

If so, I have 46, but I am looking to confirm, to see if we need to use a dedicated Splunk enterprise instance for updating using a deployment server.

 

 

 

index=_internal source=*metrics.log group=tcpin_connections splunk_server=* 
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") 
| eval Ver=if(isnull(version),"pre 4.2",version) 
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver 
| dedup host
| eval sum_mb = round(sum_kb/1024,0) 
| fields - sum_kb 
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time) 
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"

 

 

Labels (1)
Labels
0 Karma
Reply

Jnewman28
Explorer
‎04-23-2021 06:58 AM

Thanks for the insight and confirmation. We currently have a separate IDX Master that houses the License Manager and feeds it to the indexers.

Are you saying it's a good practice to place the deployment server on the (in our case) IDX Master server?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2021 07:36 AM

Co-locating the DS and CM is something you may be able to get away with, but it's not a good practice.  As the Splunk environment grows and becomes busier, the DS and CM will compete for resources and the indexer cluster will suffer for it.  See "Management / Utility Tier Recommendations" in the Splunk Validated Architectures manual (https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf)

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-19-2021 05:34 PM

The search looks reasonable and 46 is an OK number for a DS.  The 50 number is not a hard limit, but a guideline.  A lot will depend on how frequently the clients phone home.  However, it's still a Good Practice to separate the DS from the indexers and search heads.  It's common to co-locate it with the License Manager.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...