- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to configure indexer, search head, deployment
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure indexer, search head, deployment
Hello,
I am new to splunk and learning it . My question is when we install splunk what are things to be done if need a server to act as a deployment server or if need the server to act as a search head
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi funlearning321,
I suggest to follow the documentation about this topic: https://www.splunk.com/blog/2016/08/31/adding-a-deployment-server-forwarder-management-to-a-new-or-e...
In addition, you can find yhis useful video: https://www.youtube.com/watch?v=uiU_jGxnnuc
Anyway, the way to proceed is easy:
if you are only testing distributed deployment you have to:
- choose a server as Deployment Server (remember that if you have more than 50 Forwarders you need a dedicated server);
- install Splunk on this Server;
- on each Forwarder, set the correct Deployment Server address using the CLI
$SPLUNK_HOME/bin/splunk set deploy-poll servername.mydomain.com:8089 you can do the same thing inserting in the file $SPLUNK_HOME/etc/system/local/deploymentclient.conf the following rows
[target-broker:deploymentServer]
Change the targetUri
targetUri = deploymentserver.splunk.mycompany.com:8089
restart splunk on Forwarder
You'll see the Forwarder on the Deployment server at [Settings -- Forwarder management]
If instead you need a Forwarder management, you have to use a different approach:
On Deployment Server:
- install Deployment server in the same way,
- create an App (called e.g. "TA_Forwarders" in which there are only two files: deploymentclient.conf and outputs.conf, in deploymentclient.conf there the correct Deployment server Addressing (the same of previous item);
- design your deployment policy: define server classes (a list of server with the same apps) and apps;
- copy TA_Forwarders in $SPLUNK_HOME/etc/deployment-apps
- copy apps in $SPLUNK_HOME/etc/deployment-apps
- create Server Classes
On Universal Forwarder:
- install Universal Forwarder,
- copy the TA_Forwarders on $SPLUNK_HOME/etc/apps
- restart Splunk;
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to make a Server a Deployment Server, you just need to put one app in the $SPLUNK_HOME/etc/deployment-apps folder.
Then you go to the Splunk UI, Settings-> Forwarder Management and you can start creating your serverclasses. That;s all.
A standalone instance is a searchhead of itself, and you don't need to configure anything for it to search hits own data. If you have a set of instances that are functioning as Indexers only, then you can configure your search head (s) to distributed their searches to the Indexer Layer.
More details on that here: https://docs.splunk.com/Documentation/Splunk/7.0.2/DistSearch/Whatisdistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
