Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

We have installed a Universal forwarder on one of our servers, Can we add another instance of Splunk and use it as a deployment server too?

Tejkumar451
Explorer
‎08-08-2017 10:55 AM

We have a server where we have universal forwarder, and I am planning to install a splunk enterprise version so that i can use it as a deployment server. Can I do this? If so what are the things I have to taken care of?
1) What are the ports that I have to change?
2) Should I do any capacity planning for the same?
3) What are the things I have to keep in mind, before/while proceeding into this
Please do help!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-08-2017 11:17 AM

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

View solution in original post

Reply
Solved! Jump to solution

Tejkumar451
Explorer
‎08-17-2017 12:11 PM

Hi Guys, thanks for the response. One final question, what changes has to be done on the forwarder side to make it as a deploymnet client?

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 11:33 PM

Hi @Tejkumar451,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command: 

splunk set deploy-poll <IP_address/hostname>:<management_port>

or manually modify the file deploymentclient.conf to address your Deployment Server.

My hint is to create an Add-On, called e.g. TA_Forwarders, containing at least two files:

  • deploymentclient.conf, to address the Deployment Server,
  • outputs.conf, to address the Indexers.

in this way you can dinamically manage eventual change of DS.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-17-2017 02:59 PM

Configure deploymentclient.conf with the appropriate config

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-09-2017 11:54 PM

HI Tejkumar451,
if you have a Splunk Enterprise instance that has the role of Deployment Server, you don't need of another instance of Universal Forwarder.
You can configure your Splunk Enterprise AS Heavy Forwarder (forward all events to Indexers9 and use it both to forwarder events to Indexers and to manage the other Forwarders.
I usually use to configure my Deployment Server to send its logs to indexers.

Bye.
Giuseppe

Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-08-2017 11:17 AM

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

Reply
Solved! Jump to solution

Tejkumar451
Explorer
‎08-08-2017 06:03 PM

Just to add on it, I am planning to add almost 100 deployment clients, and the main change that I would be doing is changing the outputs.conf for once. And I can disable all of those deployment clients, as there wont be much changes further.
Also, is it advisable to replace the universal forwarder with Heavy forwarder and that way I can use it both as a deployment server and forwarder. The data ingestion through this forwarder is very minimum.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-09-2017 12:27 PM

No, a deployment server cannot be a deployment client of itself.

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-08-2017 11:11 AM

Hey @Tejkumar451, check out this post with the same question. https://answers.splunk.com/answers/471936/install-both-universal-forwarder-and-splunk-enterp.html
You can also check out this diagram of network ports: https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html
And this documentation explains how to plan your deployment: http://docs.splunk.com/Documentation/Splunk/6.6.2/Updating/Planadeployment Please note that it does say this: "Because of high CPU and memory usage during app downloads, it is recommended that the deployment server instance reside on a dedicated machine."

Reply
Solved! Jump to solution

Tejkumar451
Explorer
‎08-08-2017 11:22 AM

Thanks for the response!! I will check those links

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...