Getting Data In

We have installed a Universal forwarder on one of our servers, Can we add another instance of Splunk and use it as a deployment server too?

Tejkumar451
Explorer

We have a server where we have universal forwarder, and I am planning to install a splunk enterprise version so that i can use it as a deployment server. Can I do this? If so what are the things I have to taken care of?
1) What are the ports that I have to change?
2) Should I do any capacity planning for the same?
3) What are the things I have to keep in mind, before/while proceeding into this
Please do help!!

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

View solution in original post

Tejkumar451
Explorer

Hi Guys, thanks for the response. One final question, what changes has to be done on the forwarder side to make it as a deploymnet client?

gcusello
SplunkTrust
SplunkTrust

Hi @Tejkumar451,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command: 

splunk set deploy-poll <IP_address/hostname>:<management_port>

or manually modify the file deploymentclient.conf to address your Deployment Server.

My hint is to create an Add-On, called e.g. TA_Forwarders, containing at least two files:

  • deploymentclient.conf, to address the Deployment Server,
  • outputs.conf, to address the Indexers.

in this way you can dinamically manage eventual change of DS.

Ciao.

Giuseppe

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Configure deploymentclient.conf with the appropriate config

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI Tejkumar451,
if you have a Splunk Enterprise instance that has the role of Deployment Server, you don't need of another instance of Universal Forwarder.
You can configure your Splunk Enterprise AS Heavy Forwarder (forward all events to Indexers9 and use it both to forwarder events to Indexers and to manage the other Forwarders.
I usually use to configure my Deployment Server to send its logs to indexers.

Bye.
Giuseppe

s2_splunk
Splunk Employee
Splunk Employee

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

Tejkumar451
Explorer

Just to add on it, I am planning to add almost 100 deployment clients, and the main change that I would be doing is changing the outputs.conf for once. And I can disable all of those deployment clients, as there wont be much changes further.
Also, is it advisable to replace the universal forwarder with Heavy forwarder and that way I can use it both as a deployment server and forwarder. The data ingestion through this forwarder is very minimum.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee
0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @Tejkumar451, check out this post with the same question. https://answers.splunk.com/answers/471936/install-both-universal-forwarder-and-splunk-enterp.html
You can also check out this diagram of network ports: https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html
And this documentation explains how to plan your deployment: http://docs.splunk.com/Documentation/Splunk/6.6.2/Updating/Planadeployment Please note that it does say this: "Because of high CPU and memory usage during app downloads, it is recommended that the deployment server instance reside on a dedicated machine."

Tejkumar451
Explorer

Thanks for the response!! I will check those links

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...