Splunk Enterprise

Any reason not to install PDF server on every Linux Search Head?

jhupka
Path Finder

We are trying to keep all of our Linux Search Heads identical to make configuration/deployment easy. Is there any reason not to install the PDF Server app on every Search Head and just have them configured to use themselves as the PDF Server? This would also allow us to utilize identical alert_actions.conf on every Search Head.

We are currently on 4.3.3 and using PDF Server for Linux 1.3.

0 Karma
1 Solution

Jason
Motivator

I see no problem with doing that. In order to keep config the same, you would likely want to point Splunk at a 127.0.0.1 address for its PDF server.

View solution in original post

Jason
Motivator

I see no problem with doing that. In order to keep config the same, you would likely want to point Splunk at a 127.0.0.1 address for its PDF server.

jhupka
Path Finder

Just a bit of follow-up on this. One reason against PDF Server everywhere is the app is pretty big with a 32-bit and 64-bit version of Firefox internal to the app. So depending on your build/deploy process and how things are with Deployment Server you might not want to be pushing PDF Server out all over the place. On the other hand, it shouldn't necessarily change often so if you're using Deployment Server it won't often try and push out copies of PDF Server.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...