Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Introducing Splunk DS to an existing Splunk environment

varad_joshi
Communicator
‎09-15-2020 06:36 AM

We have an existing environment with 100+ servers sending data to IDX. We never had a DS before and now we want to introduce DS so that it's easier to manage the client. 

What are the things I consider before I start planning? Which config files I should be worried about getting overwritten when I add the existing UF as client to my DS.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-15-2020 07:56 AM

Hi @varad_joshi,

I have two main hints before starting this job:

1) make a very accurate planning of your Serverclasses:

  • in other words, create in Excel (or something similar) a list of you servers, listing the TAs (Technical Add-Ons) to deploy in each one;
  • then think to the serverClasses to implement: a ServerClass is a table that make an association between a group of server (with the same TA to deploy) and the TAs to deploy.

This operation is very very important to avoid to have too many ServerClasses and heavy management..

Remember that the apps non listed in ServerClasses will be deleted from the servers!

2) create at least one TA (called e.g. TA_Forwarders) that contain only three files:

  • apps.conf (describing the app)
  • outputs.conf (containing the addressing of the indexers to send data);
  • deploymentclient.conf (contaioning the address of the Deployment Server).

the number of TA_Forwarders depends on your architecture: you need at least one TA, but you could have more of them if you have Heavy Forwarders as concentrators.

If possible, delete (e.g. using a script) the actual outputs.conf.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...