Independent PDF Server pros and cons?

Super Champion

Has anyone thought through the pros/cons of setting up an external (independent) PDF server vs running the PDF server right on your primary splunk instance?

We have a very straight-forward splunk infrastructure: There are multiple splunk forwarders all sending events to a central splunk indexer. All searching is done directly against this central indexer.

I'm about to upgrade to Splunk 4.1 and I'm trying to decide it's better to run the pdf server on it's own instances (which will probably on a virtual machine), or stick the pdfserver directly on the central indexer. The central indexer is running Linux, although none of the X libraries have been installed yet.

I'm looking for pros and cons related to stability, configuration complexity, performance, maintenance, gotchas, ...

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

For your scenario, I would install the dependencies on the Splunk system and run the PDF server from that machine. Centralizing the management of Splunk will make your life much easier, especially when troubleshooting a problem with the PDF server. For the most part, the PDF server is just a firefox binary which is pretty low overhead and only gets launched when you create the PDF.

Pros for running PDF server independently:

  • lower resource utilization
  • Firefox and dependencies might already reside on a system

Cons for running PDF server independently:

  • need to manage network connectivity (firewalls and network changes?)
  • additional system to maintain
  • configuration is decentralized

Super Champion

Could you clarify what all configurations needs to be synchronized? I was under the impression that the PDF server is in may ways like any other search user, in that, as long as it can connect to the splunk web interface (port 8000), then it can render the page and produce a PDF, and return it to the caller. It makes sense that you have to get the pdfserver connectivity settings correct, but you shouldn't have to sync eventtypes/tags/views/savedserches/... because none of that is running on the pdfserver, that's all done on the search head, right?

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...