Getting Data In

What are best practices for setting phoneHomeInterval between deployment clients when under the same deployment server?

bheemireddi
Communicator

Hello,

I have been testing the configurations between DS and the clients. Currently I just have few clients to the DS and they all have the default setting for the phoneHomeinterval. in one of the scenarios, Forwarders downloaded the configs before the indexers and they tried to forward the data to an un-configured index as the Indexers downloaded their configs (that creates the index) few Secs later than the forwarders. So wanted to set the phoneHomeInterval differently for the indexers and forwarders so they align correctly. So is it the best practice to set different PhoneHomeInterval between Indexers and Forwarders (Even just for few clients) when they are under same DS? or is there a better approach to resolve this?

Thanks
Raji

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Changing the interval is not going to solve this. Let's be extreme and say indexers check every ten seconds while forwarders check every ten days. There still will be a case where eventually one forwarder's ten day interval will be up just after you deployed changes, and it will restart faster than your indexers.

To get around this, make changes to your indexer's server classes first. Reload deployment server, wait. Then make changes to forwarder server classes, reload, wait.

Even better, use clustering and roll out indexer changes from the master before touching the deployment server and therefore the forwarders.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...