All Apps and Add-ons

Best Practice for Splunk Stream Install Location

mikefg
Communicator

Working on a fresh install of Stream into an on-prem distributed environment with a small number of endpoints. I'm not sure where to install and operate Stream from and I've seen differing instructions from 2019-present.

Is the current best practice to install and operate Stream from a standalone server or install and run from the deployment server?

Labels (1)
1 Solution

inventsekar
Super Champion

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

View solution in original post

0 Karma

inventsekar
Super Champion

Hi @mikefg ... As per the documentation at https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/InstallSplunkAppforStreaminadi...

Install Splunk App for Stream on search heads

  1. Click Download. The installation package downloads to your local host.
  2. Log into Splunk Web.
  3. Go to the command line and untar the installation file to SPLUNK_HOME/etc/apps/.
  4. Restart Splunk Enterprise, if prompted. This installs the Splunk App for Stream (Splunk_app_stream) in $SPLUNK_HOME/etc/apps.

may i know if this resolves your query, if not please let us know some more details about query, thanks. 

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

mikefg
Communicator

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.

Per the below article they use a separate server, but I'm not sure where that break point is between separate server and just using a deployment server. I'm leaning toward using a separate server, but the article I'm linking to is from 2019, so I don't know if it's still the recommended way to do it.


https://www.splunk.com/en_us/blog/tips-and-tricks/installing-and-managing-splunk-stream-in-a-distrib...

0 Karma

inventsekar
Super Champion

This doesn't help, what I need to know is if there is a best practice for using a separate server for stream or using a deployment server.
but I'm not sure where that break point is between separate server and just using a deployment server ///


well,.. in simple terms, your question is... "separate server or just using a deployment server?"

its a very complex question and this depends "soo many factors"...

1) its performance,
2) average load,
3) ur plan about how your Splunk system will be in an year and in 5 years, etc
4) importantly, the budget constraints. 


---- if you want to push Splunk to its bottleneck and also get good Return on Investment(ROI), then simply go with just using a deployment server, not a separate server for stream. 

---- on the other hand, if you can afford moneywise, it is simply best to use a separate server for each functionality... for example common system for base Splunk and separate servers for ES, ITSI, Observability, Stream, etc..

hope its clear now, thanks. 

 

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

mikefg
Communicator

Thank you, this helps. Just wanted to make sure there wasn't any newer recommended way to setup Stream. I'll proceed with a standalone server.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...