Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how to install single splunk instance on linux

daddyoh
Explorer
‎06-23-2016 07:17 AM

We have splunk-light 1GB per day license. We expect about 400 MB of events on a normal day. I'd like to set up one splunk instance then multiple instances of universal forwarder (UF) on a few other linux servers.

How do I, and do I need to, configure splunk as a search head, indexer and deployment server for UF to be able to transmit events to splunk and then search the same server instance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-23-2016 07:35 AM

All splunk instances (except UF) are Indexers and Search Heads by default. I would not make your main box also a DS but it can work if you have very few Forwarders.

See here for DS:
https://answers.splunk.com/answers/418065/how-do-we-set-up-the-deployment-server.html#answer-418066

The basic steps are:

1: Stand Up a new Search Head to use as DS.
2: Put at least 1 app in $SPLUNK_HOME/etc/deployment-apps/
3: Create a serverclass.conf file on the DS (put your forwarder and app details in there).
4: Deploy a properly configured deploymentclient.conf file to at least 1 forwarder and restart splunk there.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-23-2016 07:35 AM

All splunk instances (except UF) are Indexers and Search Heads by default. I would not make your main box also a DS but it can work if you have very few Forwarders.

See here for DS:
https://answers.splunk.com/answers/418065/how-do-we-set-up-the-deployment-server.html#answer-418066

The basic steps are:

1: Stand Up a new Search Head to use as DS.
2: Put at least 1 app in $SPLUNK_HOME/etc/deployment-apps/
3: Create a serverclass.conf file on the DS (put your forwarder and app details in there).
4: Deploy a properly configured deploymentclient.conf file to at least 1 forwarder and restart splunk there.
Reply
Solved! Jump to solution

daddyoh
Explorer
‎07-09-2016 03:43 AM

Woodcock - Your 4 steps did the trick. That was what was what I needed to fill in the gaps in the volumes of documentation from splunk. We have a qa server now forwarding 3 log files. I expect to get our production servers forwarding this week.

Thank You very much.

0 Karma
Reply
Solved! Jump to solution

daddyoh
Explorer
‎06-23-2016 07:38 AM

Thanks. How can I make it a deployment server so that I can test it and see if it can handle the volume. I am limited on hardware availability right now.

0 Karma
Reply
Solved! Jump to solution

andrewb_splunk
Splunk Employee
Splunk Employee
‎06-23-2016 08:04 AM

In addition to woodcock's excellent answer, you can also refer to the Splunk Light documentation topic Getting data into Splunk Light using Linux

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2016 07:41 AM

Answer updated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...