Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Introducing Splunk DS to an existing Splunk environment

varad_joshi
Communicator
‎09-15-2020 06:36 AM

We have an existing environment with 100+ servers sending data to IDX. We never had a DS before and now we want to introduce DS so that it's easier to manage the client. 

What are the things I consider before I start planning? Which config files I should be worried about getting overwritten when I add the existing UF as client to my DS.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 07:56 AM

Hi @varad_joshi,

I have two main hints before starting this job:

1) make a very accurate planning of your Serverclasses:

  • in other words, create in Excel (or something similar) a list of you servers, listing the TAs (Technical Add-Ons) to deploy in each one;
  • then think to the serverClasses to implement: a ServerClass is a table that make an association between a group of server (with the same TA to deploy) and the TAs to deploy.

This operation is very very important to avoid to have too many ServerClasses and heavy management..

Remember that the apps non listed in ServerClasses will be deleted from the servers!

2) create at least one TA (called e.g. TA_Forwarders) that contain only three files:

  • apps.conf (describing the app)
  • outputs.conf (containing the addressing of the indexers to send data);
  • deploymentclient.conf (contaioning the address of the Deployment Server).

the number of TA_Forwarders depends on your architecture: you need at least one TA, but you could have more of them if you have Heavy Forwarders as concentrators.

If possible, delete (e.g. using a script) the actual outputs.conf.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...