When looking to update a deployment enterprise instances, we are exploring using a deployment server.
Splunk documentation says the below:
"When provisioning a deployment server, note the following:
Is this below command the way to view the number of clients?
If so, I have 46, but I am looking to confirm, to see if we need to use a dedicated Splunk enterprise instance for updating using a deployment server.
index=_internal source=*metrics.log group=tcpin_connections splunk_server=*
| eval host=if(isnull(hostname), sourceHost,hostname)
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval Ver=if(isnull(version),"pre 4.2",version)
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver
| dedup host
| eval sum_mb = round(sum_kb/1024,0)
| fields - sum_kb
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time)
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"
Thanks for the insight and confirmation. We currently have a separate IDX Master that houses the License Manager and feeds it to the indexers.
Are you saying it's a good practice to place the deployment server on the (in our case) IDX Master server?
Co-locating the DS and CM is something you may be able to get away with, but it's not a good practice. As the Splunk environment grows and becomes busier, the DS and CM will compete for resources and the indexer cluster will suffer for it. See "Management / Utility Tier Recommendations" in the Splunk Validated Architectures manual (https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf)
The search looks reasonable and 46 is an OK number for a DS. The 50 number is not a hard limit, but a guideline. A lot will depend on how frequently the clients phone home. However, it's still a Good Practice to separate the DS from the indexers and search heads. It's common to co-locate it with the License Manager.