Getting Data In

We have installed a Universal forwarder on one of our servers, Can we add another instance of Splunk and use it as a deployment server too?

Tejkumar451
Explorer

We have a server where we have universal forwarder, and I am planning to install a splunk enterprise version so that i can use it as a deployment server. Can I do this? If so what are the things I have to taken care of?
1) What are the ports that I have to change?
2) Should I do any capacity planning for the same?
3) What are the things I have to keep in mind, before/while proceeding into this
Please do help!!

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

View solution in original post

Tejkumar451
Explorer

Hi Guys, thanks for the response. One final question, what changes has to be done on the forwarder side to make it as a deploymnet client?

gcusello
SplunkTrust
SplunkTrust

Hi @Tejkumar451,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command: 

splunk set deploy-poll <IP_address/hostname>:<management_port>

or manually modify the file deploymentclient.conf to address your Deployment Server.

My hint is to create an Add-On, called e.g. TA_Forwarders, containing at least two files:

  • deploymentclient.conf, to address the Deployment Server,
  • outputs.conf, to address the Indexers.

in this way you can dinamically manage eventual change of DS.

Ciao.

Giuseppe

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Configure deploymentclient.conf with the appropriate config

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI Tejkumar451,
if you have a Splunk Enterprise instance that has the role of Deployment Server, you don't need of another instance of Universal Forwarder.
You can configure your Splunk Enterprise AS Heavy Forwarder (forward all events to Indexers9 and use it both to forwarder events to Indexers and to manage the other Forwarders.
I usually use to configure my Deployment Server to send its logs to indexers.

Bye.
Giuseppe

s2_splunk
Splunk Employee
Splunk Employee

It is unusual to use a universal forwarder machine as a deployment server and not recommended, but technically possible.
The only port you need to change is the management port (default: 8089). The UF does not bind to any other ports.

Depending on the number of deployment clients you want to manage with your DS, you will have to think about capacity, yes.

Other than that, it really is just two separate Splunk instances (1 UF, 1 Splunk Enterprise) and they can co-exist.
I still probably would not recommend doing it, but instead have a separate instance for the DS or share with a License Master or Search Head Cluster Deployer, if you can.

Tejkumar451
Explorer

Just to add on it, I am planning to add almost 100 deployment clients, and the main change that I would be doing is changing the outputs.conf for once. And I can disable all of those deployment clients, as there wont be much changes further.
Also, is it advisable to replace the universal forwarder with Heavy forwarder and that way I can use it both as a deployment server and forwarder. The data ingestion through this forwarder is very minimum.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee
0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @Tejkumar451, check out this post with the same question. https://answers.splunk.com/answers/471936/install-both-universal-forwarder-and-splunk-enterp.html
You can also check out this diagram of network ports: https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html
And this documentation explains how to plan your deployment: http://docs.splunk.com/Documentation/Splunk/6.6.2/Updating/Planadeployment Please note that it does say this: "Because of high CPU and memory usage during app downloads, it is recommended that the deployment server instance reside on a dedicated machine."

Tejkumar451
Explorer

Thanks for the response!! I will check those links

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...