We already have Splunk deployed, (indexer, w/ light forwarders)...
The reason for this question is that we've had issues getting splunk to work, but initially had issues getting data from forwarders. After uninstalling and reinstalling a few times, it finally worked.. somehow.. Which is fine..
Problem is, updating forwarders to blacklist certain events to not exceed license limits (saving bandwidth) is going to be a pain to do this every time manually. Having to update conf files on each server and of course -as we grow- it makes more sense to have a deployment server enabled.
So, is there anyway to enable a deployment server on a splunk instance that is already installed without having to re-install the indexer and forwarder(s)?
If there is a link to help with this, that would be perfect..
Thanks in advance,
Joe
You don't need to reinstall. The deployment server capability is automatically enabled in Splunk Enterprise. You will need to restart the instances that you specify as deployment clients, but you don't need to reinstall. See this topic in the Updating Splunk Enterprise Instances manual for more information.
You will have to touch each forwarder one more time. You have to point the forwarders to a Deployment Server for them to pick up configs. You also need to choose a Deployment Server and stand it up ( you could use an indexer or search head - but is not recommended).
For full reading: http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Aboutdeploymentserver
Start there and keep reading. 😄
You don't need to reinstall. The deployment server capability is automatically enabled in Splunk Enterprise. You will need to restart the instances that you specify as deployment clients, but you don't need to reinstall. See this topic in the Updating Splunk Enterprise Instances manual for more information.
Ok.. thanks for the help.. Wanted to accept both answers as they helped me get this figured out..