Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk UF Deployment - Possible Issues

johann2017
Explorer
‎11-15-2019 08:28 AM

Hello. We are planning on deploying UFs across our enterprise ~ 3000 systems. Currently, we have deployed UFs to 50 systems and have seen no issues. Before doing a large deployment to cover our entire enterprise - I was curious if anyone has seen any issues arise from deploying UFs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 09:39 AM

A single deployment server can easily handle that many UFs. Just remember to set phoneHomeIntervalInSecs to 600 or so (default is 60 seconds) in deploymentclient.conf.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-16-2019 05:08 PM

The rule of thumb is 1KUFs/1-minute of phone-home with default settings. The default is 1-minutes so 1K servers with default settings before you run into scaling problems.

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎11-16-2019 12:05 PM

If you are able to monitor the UF _internal log, you can possibly detect issues. The classic issue is that they maxthruput throttles the UF and the UF will get their data indexed in burtsts. If they roll logs they might miss events.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 09:39 AM

A single deployment server can easily handle that many UFs. Just remember to set phoneHomeIntervalInSecs to 600 or so (default is 60 seconds) in deploymentclient.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎11-16-2019 09:26 AM

Thanks rich! Have you seen any other issues arise on the network, endpoints, servers or anything else or "gotchas" from mass deploying the UFs?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2019 04:40 AM

In general, no. UFs are very straightforward to deploy. Problems are always possible, however, if you exceed the capacity of any of your resources.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...