Splunk Search
Highlighted

How do we standardize configs across thousands of servers?

Splunk Employee
Splunk Employee

It does not appear that there's any way to do host templating. We have 1000s of servers, many of which are based off of server profiles (e.g., Linux web server) with standardized configs. If we wanted to add a new monitor to 120 servers of a certain class, how could we accomplish that?

0 Karma
Highlighted

Re: How do we standardize configs across thousands of servers?

Splunk Employee
Splunk Employee

This is EXACTLY what the Deployment Server is built for. So, to do mass configuration, you can use any mass config tool you typically would use (say puppet or chef or Altiris or ...) but if you do, you'll need to restart the UniversalForwarder to get it to reread the configs and start pushing. However, if you use DeploymentServer, that happens for free. Just modify the templates and magically new data flows in.

View solution in original post

Highlighted

Re: How do we standardize configs across thousands of servers?

Splunk Employee
Splunk Employee

I would also add that :

  • deployment servers should be dedicated splunk instances (otherwise the client connections kills the performance) (ps on linux you can run another splunk instance on the same box if you change the ports)
  • a single deployment server can handle up to 500 clients, so for larger deployments, use multiple deployment servers (you can cascade them)
0 Karma