- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure indexer, search head, deployment
Hello,
I am new to splunk and learning it . My question is when we install splunk what are things to be done if need a server to act as a deployment server or if need the server to act as a search head
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi funlearning321,
I suggest to follow the documentation about this topic: https://www.splunk.com/blog/2016/08/31/adding-a-deployment-server-forwarder-management-to-a-new-or-e...
In addition, you can find yhis useful video: https://www.youtube.com/watch?v=uiU_jGxnnuc
Anyway, the way to proceed is easy:
if you are only testing distributed deployment you have to:
- choose a server as Deployment Server (remember that if you have more than 50 Forwarders you need a dedicated server);
- install Splunk on this Server;
- on each Forwarder, set the correct Deployment Server address using the CLI
$SPLUNK_HOME/bin/splunk set deploy-poll servername.mydomain.com:8089
you can do the same thing inserting in the file $SPLUNK_HOME/etc/system/local/deploymentclient.conf the following rows
[target-broker:deploymentServer]
Change the targetUri
targetUri = deploymentserver.splunk.mycompany.com:8089
restart splunk on Forwarder
You'll see the Forwarder on the Deployment server at [Settings -- Forwarder management]
If instead you need a Forwarder management, you have to use a different approach:
On Deployment Server:
- install Deployment server in the same way,
- create an App (called e.g. "TA_Forwarders" in which there are only two files: deploymentclient.conf and outputs.conf, in deploymentclient.conf there the correct Deployment server Addressing (the same of previous item);
- design your deployment policy: define server classes (a list of server with the same apps) and apps;
- copy TA_Forwarders in $SPLUNK_HOME/etc/deployment-apps
- copy apps in $SPLUNK_HOME/etc/deployment-apps
- create Server Classes
On Universal Forwarder:
- install Universal Forwarder,
- copy the TA_Forwarders on $SPLUNK_HOME/etc/apps
- restart Splunk;
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

In order to make a Server a Deployment Server, you just need to put one app in the $SPLUNK_HOME/etc/deployment-apps folder.
Then you go to the Splunk UI, Settings-> Forwarder Management and you can start creating your serverclasses. That;s all.
A standalone instance is a searchhead of itself, and you don't need to configure anything for it to search hits own data. If you have a set of instances that are functioning as Indexers only, then you can configure your search head (s) to distributed their searches to the Indexer Layer.
More details on that here: https://docs.splunk.com/Documentation/Splunk/7.0.2/DistSearch/Whatisdistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
