This is a place to discuss all things outside of Splunk, its products, and its use cases.

Splunk Lab - Minimum servers



Creating a Splunk lab to play around with configurations etc ..

Will the following suffice - any gotchyas (ports etc) or can they all share the mgmt port on the deployer box :

2 x SH
2 x IDX
1 x Deployer consisting of - Deployer, deployment server, CM, LM (can they all co-exist)
2 x UF's


Tags (1)
0 Karma


All those will need their own ports as they will complain about it during start up. Splunkweb, splunkd, app port,kvstore ports should all be unique.

Also create individual host names in server.conf and inputs.conf. This servers two purposes.

  1. You can tell what is going on when you check internals.
  2. Distsearch requires unique names to work (it's used for the public key storing directory name).

Also perhaps throw in a heavy forwarder so you can try out advanced routing techniques.

0 Karma


Thanks Lucas,

For Clarification :

If i don't need 2 x SH at this stage - and therefore no deployer.
If a deployer was required then i'd have to install splunk in a new location if i was using the same box eg /opt/splunk_shc and i would need to change the ports ?

So the LM, CM and deployment server can all co-exist on the one box with no port adjustments - they can all use the mgmt port 8089 ?

0 Karma

Ultra Champion

Yes, LM and CM are just "features" of the main Splunk Enterprise install and simply need to be "enabled" - (as are DM and Deployer too for that matter)

You will therefore only need one splunk install for all 4 of these services to work (albeit not best practice)

If my comment helps, please give it a thumbs up!
0 Karma

Splunk Employee
Splunk Employee

In a lab, this should be more then sufficient.

However, for a SHC (search head cluster,) you need to have a minimum of 3 servers for the SHC to function properly. That being said, you can force a captain with two members, but its a manual process as described in the docs on : http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/SHCarchitecture

On a side note, in a production environment, you would want to separate the roles of these servers. Typically the CM and LM and coexist on lower spec machines (perfect for virtualization). The deployer and DS can also co-exist, however, depending upon the number of clients, having a dedicated DS is typically recommended.



Cheers Eric .. yep aware of the prod requirements - thanks for the SHC tip.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...