Splunk Search

How to configure indexer, search head, deployment

funlearning321
New Member

Hello,

I am new to splunk and learning it . My question is when we install splunk what are things to be done if need a server to act as a deployment server or if need the server to act as a search head

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi funlearning321,
I suggest to follow the documentation about this topic: https://www.splunk.com/blog/2016/08/31/adding-a-deployment-server-forwarder-management-to-a-new-or-e...
In addition, you can find yhis useful video: https://www.youtube.com/watch?v=uiU_jGxnnuc

Anyway, the way to proceed is easy:
if you are only testing distributed deployment you have to:

  • choose a server as Deployment Server (remember that if you have more than 50 Forwarders you need a dedicated server);
  • install Splunk on this Server;
  • on each Forwarder, set the correct Deployment Server address using the CLI $SPLUNK_HOME/bin/splunk set deploy-poll servername.mydomain.com:8089
  • you can do the same thing inserting in the file $SPLUNK_HOME/etc/system/local/deploymentclient.conf the following rows

    [target-broker:deploymentServer]

    Change the targetUri

    targetUri = deploymentserver.splunk.mycompany.com:8089

  • restart splunk on Forwarder

  • You'll see the Forwarder on the Deployment server at [Settings -- Forwarder management]

If instead you need a Forwarder management, you have to use a different approach:

On Deployment Server:

  • install Deployment server in the same way,
  • create an App (called e.g. "TA_Forwarders" in which there are only two files: deploymentclient.conf and outputs.conf, in deploymentclient.conf there the correct Deployment server Addressing (the same of previous item);
  • design your deployment policy: define server classes (a list of server with the same apps) and apps;
  • copy TA_Forwarders in $SPLUNK_HOME/etc/deployment-apps
  • copy apps in $SPLUNK_HOME/etc/deployment-apps
  • create Server Classes

On Universal Forwarder:

  • install Universal Forwarder,
  • copy the TA_Forwarders on $SPLUNK_HOME/etc/apps
  • restart Splunk;

Bye.
Giuseppe

0 Karma

tiagofbmm
Influencer

In order to make a Server a Deployment Server, you just need to put one app in the $SPLUNK_HOME/etc/deployment-apps folder.

Then you go to the Splunk UI, Settings-> Forwarder Management and you can start creating your serverclasses. That;s all.

A standalone instance is a searchhead of itself, and you don't need to configure anything for it to search hits own data. If you have a set of instances that are functioning as Indexers only, then you can configure your search head (s) to distributed their searches to the Indexer Layer.

More details on that here: https://docs.splunk.com/Documentation/Splunk/7.0.2/DistSearch/Whatisdistributedsearch

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...