Has anyone thought through the pros/cons of setting up an external (independent) PDF server vs running the PDF server right on your primary splunk instance?
We have a very straight-forward splunk infrastructure: There are multiple splunk forwarders all sending events to a central splunk indexer. All searching is done directly against this central indexer.
I'm about to upgrade to Splunk 4.1 and I'm trying to decide it's better to run the pdf server on it's own instances (which will probably on a virtual machine), or stick the pdfserver directly on the central indexer. The central indexer is running Linux, although none of the X libraries have been installed yet.
I'm looking for pros and cons related to stability, configuration complexity, performance, maintenance, gotchas, ...
For your scenario, I would install the dependencies on the Splunk system and run the PDF server from that machine. Centralizing the management of Splunk will make your life much easier, especially when troubleshooting a problem with the PDF server. For the most part, the PDF server is just a firefox binary which is pretty low overhead and only gets launched when you create the PDF.
Pros for running PDF server independently:
Cons for running PDF server independently:
Could you clarify what all configurations needs to be synchronized? I was under the impression that the PDF server is in may ways like any other search user, in that, as long as it can connect to the splunk web interface (port 8000), then it can render the page and produce a PDF, and return it to the caller. It makes sense that you have to get the pdfserver connectivity settings correct, but you shouldn't have to sync eventtypes/tags/views/savedserches/... because none of that is running on the pdfserver, that's all done on the search head, right?