Installation

Deployment Server on Splunk Cloud

itsupport42
Loves-to-Learn Lots

Hello!

As I correctly understand that Splunk cloud doesn't have now any deployment servers?

So if yes, can you explaine how to confiugre universal forward that send data to Splunk cloud but using addon ?

Thank you

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk Cloud does indeed support deployment servers, but you'll find it cumbersome to use since you'll need Splunk Cloud Support to install your add-ons on the DS for you.

The preferred approach is to install an on-prem Splunk instance to serve as your deployment server.

---
If this reply helps you, Karma would be appreciated.
0 Karma

itsupport42
Loves-to-Learn Lots

Last time when i used it, i have deployment server and it was okay. I can install APP on splunk forwarder and receive data from this app to Splunk cloud

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsupport42 ,

as @richgalloway said the best thing is to install a dedicated server to run as a Deployment Server.

If you don't want to do this, you can manually (or using a third party tool) install your add-ons you your Universal Forwarders.

But take attention to the idea to use an HF as a concentrator!

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust
I disagree with the practice of using intermediate forwarders. They add complexity, points of failure, and can impede search performance by not distributing events evenly among indexers.
---
If this reply helps you, Karma would be appreciated.
0 Karma

itsupport42
Loves-to-Learn Lots

Do you have some instruction on how install addons on Universal ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsupport42 ,

which add-ons are you speaking of?

if there isn't any particular requirement (see on documentation), to install an add-on on a Universal forwarder, you have only to untar the package in the $SPLUNK_HOME/etc/apps folder and then restart Splunk on UF.

Ciao.

Giuseppe

0 Karma

itsupport42
Loves-to-Learn Lots

But how i can get addons from Splunk Cloud to Universal?

I need to understand, that Splunk universal forward received data from syslog of meraki udp 1496 and send it to Splunk cloud. And using addon for meraki for correct logs

From deployment server i can do this easily but without it. I want to understand what my steps

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsupport42 ,

I suppose that you have an intermediate layer, based on two or more Heavy Forwarders, between your Universal Forwarders and Splunk Cloud.

So you can use one of them for this role if your Deployment Server must manage few targets (less than 50).

If instead you have more than 50 targets, Splunk says that you have to use a dedicated Deployment Server.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.4/Updating/Planadeployment#Deployment_server_machin...

Ciao.

Giuseppe

0 Karma

itsupport42
Loves-to-Learn Lots

I need only Splunk Cloud and Universal Forward.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsupport42 ,

usually it's a best practice to have two or more Heavy Forwarders between UFs and Splunk Cloud to avoid to open too many routes between your servers and internet and i suggest to take in consideration this idea!

Anyway, you can use a dedicated Deployment Server to manage your Forwarders.

Ciao.

Giuseppe

0 Karma

itsupport42
Loves-to-Learn Lots

Because I need to use specific addon that can send data correct to Splunk cloud

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsupport42 ,

why you cannot use Heavy Forwarders between UFs and Splunk Cloud?

I think that your add-on can work also with intermediate Heavy Forwarders!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...