Deployment Architecture

What are some best practices for deploying new Splunk cluster step-by-step?


Hello guys,

I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?


1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits

2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles

3. Configure Master Node (cluster master) on separate server

4. Configure peers, connect them to the MN

5. Configure search heads, connect them to the MN

6. Configure Universal forwarders



Tags (2)
0 Karma

Ultra Champion

I don't agree that HF must be run as root. It doesn't need it.

0 Karma


If you need to open 514 port?

0 Karma

Ultra Champion

Yes, but that's not unique to HF. You can use UF to receive data on raw tcp/udp port. And still you can just open another, higher port, like 1514, 6514 or whatever. And even better - use a separate syslog-collecting layer like sc4s or rsyslog and send data to HEC from there.

0 Karma

Esteemed Legend

Hi @realsplunk,

yes the process is correct, only three things:

  • I'd add also the forwarding of all logs from all servers to the Indexers,
  • if the Deployment Servers has to manage more than 50 clients, it must be on a dedicated server,
  • if you have Heavy Forwarders, you have to install and configire them before Universal Forwarders.



0 Karma


Hi @realsplunk 

I guess this for your practise right the flow is correct

however i would not recommend deployment server and license server setup one one server if you have more than 50 clients where UF needs to be installed  however for  low volume deployment server is OK to be clubbed 

try this link for reference 


and also if you are configuring masternode  step 4 and 5 should have sub steps indexer clustering and SH clustering  

If you find the answer helpful, an karma is appreciated

Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...