My Splunk infrastructure (search head, indexer, etc.) is deployed on Windows servers.
As for any other Windows server, I have the requirement to collect event logs, etc. I would like to know if it is possible to make a dual install of Splunk Enterprise and the Universal Forwarder on the same server in order to make a clear separation between search head, indexer roles and the windows server auditing part which is common to other standard Windows servers.
In such a case, it would allow me to have the capability to push new apps to the universal forwarder (new audit rule, etc.) in the same way than others servers, and especially being free to restart the UF service without any fear to impact search head, indexer critical roles.
Is it technically supported ? Does it make sense ?
I did it but was a temporary situation with a Splunk Enterprise that I was dismissing: I don't suggest to have a standard configuration with two instances (one Enterprise and one Forwarder) also because you have to verify the resource usege of both the environments, maybe is better to use two separated virtual instances.
Every way, here you can find some information on the installation and configuration: https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine
Thanks for the link. This link looks to discuss about install of two server instances on the same server.
In my case, it is about one server instance + one UF instance. (I hope) it is more easier to manage in my case.
But information are very interesting in any case.
It is completely possible, but I would not recommend it, in general.
Tell us more about your Searcheads and Indexers. How many? How are they set up (standalone, clustered)?
Hello, number should not matter as I am typically looking for a strategy that would allow me to safely ignore the specific Splunk role of a given Windows server when it is used to host a Splunk Enterprise Role.
As far as role is concerned, you can assume I have to deploy most of typical roles in both standalone or cluster mode.
To give a more practical scenario, it does happen we have the need during temporary period to increase audit level on a specific aspect of our Windows servers. In such a case:
1. We used to deploy an additional app covering the use case
2. Any Windows server is to be targeted, whatever it does act as Splunk Enterprise server or not
3. we need to go fast and I want a seamless experience as much as possible.
In others words, I can afford to blindly restart UF, I cannot for Enterprise roles. So my suggestion/question of dual install of UF and server role.
The number matters because it helps to dictate the solution you build.
Answering this type of question without understanding your environment is careless.
If you are talking about a few standalone SH/indexers...then adding another process to do a job the existing process can do seems overkill.
If you are talking a cluster of 40 indexers then you should simply be using the cluster master. SHC should use deployer...
Plus... you can change input monitors without re-starting splunk at all...
Regardless, well built splunk architectures have many built in redundancies to allow admins to restart processes when needed...I guess it all depends on what your priorities are and how its been built...
that can be the hardest part of being a splunk admin....everything is possible...most times its not CAN you, its SHOULD you.
I say test it out and see of it provides the streamlining you are looking for, cause while your theory is based on this particular scenario, it adds much more complexity, and possibly performance concerns, to administrating your environment.
Thanks for your additional feedback.
my intention by not giving environment sizing was to re-inforce the need for a solution that will be scalable... But indeed, I have nothing to hide. As of today, I have 3 x SHC + 1 x Deployer + 3 x HEC + 3 clustered indexes with plan to grow.
NP at all. That's why I asked. If you are in a smallish environment with lots of standalone, you could hack something together, but in a growing, traditionally architected Splunk deployment, the most scalable solution is to manage the searchheads and indexers with the cluster master and the deployer, and to have an app ready for when you need to up the ante on your logging.
I think by default Splunk installs a UF with a Windows installation of Splunk.
You do het a warning message when you start the UF that it has changed the Splunk Home path.
Same as other people above.
Do not recommend to do that if you're looking for a good practice in general from performance/system resource usage point of view.
Technically you can install one UF and one Full package. However, depending on resource usage by each Splunk instances, you may encounter system resource issue and have performance related errors. I would do this only test environment or both Splunk instances won't use up system resources (this means very light usage, not like heavy searches, dashboards, high indexing volume, tons of monitoring, a lot of network sockets/volume usage, etc.)