Introducing Splunk DS to an existing Splunk enviro...

varad_joshi · ‎09-15-2020

We have an existing environment with 100+ servers sending data to IDX. We never had a DS before and now we want to introduce DS so that it's easier to manage the client.

What are the things I consider before I start planning? Which config files I should be worried about getting overwritten when I add the existing UF as client to my DS.

gcusello · ‎09-15-2020

Hi @varad_joshi,

I have two main hints before starting this job:

1) make a very accurate planning of your Serverclasses:

in other words, create in Excel (or something similar) a list of you servers, listing the TAs (Technical Add-Ons) to deploy in each one;
then think to the serverClasses to implement: a ServerClass is a table that make an association between a group of server (with the same TA to deploy) and the TAs to deploy.

This operation is very very important to avoid to have too many ServerClasses and heavy management..

Remember that the apps non listed in ServerClasses will be deleted from the servers!

2) create at least one TA (called e.g. TA_Forwarders) that contain only three files:

apps.conf (describing the app)
outputs.conf (containing the addressing of the indexers to send data);
deploymentclient.conf (contaioning the address of the Deployment Server).

the number of TA_Forwarders depends on your architecture: you need at least one TA, but you could have more of them if you have Heavy Forwarders as concentrators.

If possible, delete (e.g. using a script) the actual outputs.conf.

Ciao.

Giuseppe

Introducing Splunk DS to an existing Splunk environment

universal forwarder

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases