#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Lab - Minimum servers

Esky73
Builder
‎02-13-2017 04:51 PM

Hi,

Creating a Splunk lab to play around with configurations etc ..

Will the following suffice - any gotchyas (ports etc) or can they all share the mgmt port on the deployer box :

2 x SH
2 x IDX
1 x Deployer consisting of - Deployer, deployment server, CM, LM (can they all co-exist)
2 x UF's

Cheers.

Tags (1)
0 Karma
Reply

Lucas_K
Motivator
‎02-14-2017 12:28 AM

All those will need their own ports as they will complain about it during start up. Splunkweb, splunkd, app port,kvstore ports should all be unique.

Also create individual host names in server.conf and inputs.conf. This servers two purposes.

  1. You can tell what is going on when you check internals.
  2. Distsearch requires unique names to work (it's used for the public key storing directory name).

Also perhaps throw in a heavy forwarder so you can try out advanced routing techniques.

0 Karma
Reply

Esky73
Builder
‎02-14-2017 02:56 PM

Thanks Lucas,

For Clarification :

If i don't need 2 x SH at this stage - and therefore no deployer.
If a deployer was required then i'd have to install splunk in a new location if i was using the same box eg /opt/splunk_shc and i would need to change the ports ?

So the LM, CM and deployment server can all co-exist on the one box with no port adjustments - they can all use the mgmt port 8089 ?

0 Karma
Reply

nickhills
Ultra Champion
‎02-14-2017 11:01 PM

Yes, LM and CM are just "features" of the main Splunk Enterprise install and simply need to be "enabled" - (as are DM and Deployer too for that matter)

You will therefore only need one splunk install for all 4 of these services to work (albeit not best practice)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎02-13-2017 04:57 PM

In a lab, this should be more then sufficient.

However, for a SHC (search head cluster,) you need to have a minimum of 3 servers for the SHC to function properly. That being said, you can force a captain with two members, but its a manual process as described in the docs on : http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/SHCarchitecture

On a side note, in a production environment, you would want to separate the roles of these servers. Typically the CM and LM and coexist on lower spec machines (perfect for virtualization). The deployer and DS can also co-exist, however, depending upon the number of clients, having a dedicated DS is typically recommended.

Cheers
Eric

Reply

Esky73
Builder
‎02-13-2017 05:19 PM

Cheers Eric .. yep aware of the prod requirements - thanks for the SHC tip.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top