Splunk Search

How do we standardize configs across thousands of servers?

Dimitri_McKay
Splunk Employee
Splunk Employee

It does not appear that there's any way to do host templating. We have 1000s of servers, many of which are based off of server profiles (e.g., Linux web server) with standardized configs. If we wanted to add a new monitor to 120 servers of a certain class, how could we accomplish that?

0 Karma
1 Solution

Dimitri_McKay
Splunk Employee
Splunk Employee

This is EXACTLY what the Deployment Server is built for. So, to do mass configuration, you can use any mass config tool you typically would use (say puppet or chef or Altiris or ...) but if you do, you'll need to restart the UniversalForwarder to get it to reread the configs and start pushing. However, if you use DeploymentServer, that happens for free. Just modify the templates and magically new data flows in.

View solution in original post

Dimitri_McKay
Splunk Employee
Splunk Employee

This is EXACTLY what the Deployment Server is built for. So, to do mass configuration, you can use any mass config tool you typically would use (say puppet or chef or Altiris or ...) but if you do, you'll need to restart the UniversalForwarder to get it to reread the configs and start pushing. However, if you use DeploymentServer, that happens for free. Just modify the templates and magically new data flows in.

yannK
Splunk Employee
Splunk Employee

I would also add that :

  • deployment servers should be dedicated splunk instances (otherwise the client connections kills the performance) (ps on linux you can run another splunk instance on the same box if you change the ports)
  • a single deployment server can handle up to 500 clients, so for larger deployments, use multiple deployment servers (you can cascade them)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...