#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Lab - Minimum servers

Esky73
Builder
‎02-13-2017 04:51 PM

Hi,

Creating a Splunk lab to play around with configurations etc ..

Will the following suffice - any gotchyas (ports etc) or can they all share the mgmt port on the deployer box :

2 x SH
2 x IDX
1 x Deployer consisting of - Deployer, deployment server, CM, LM (can they all co-exist)
2 x UF's

Cheers.

Tags (1)
0 Karma
Reply

Lucas_K
Motivator
‎02-14-2017 12:28 AM

All those will need their own ports as they will complain about it during start up. Splunkweb, splunkd, app port,kvstore ports should all be unique.

Also create individual host names in server.conf and inputs.conf. This servers two purposes.

  1. You can tell what is going on when you check internals.
  2. Distsearch requires unique names to work (it's used for the public key storing directory name).

Also perhaps throw in a heavy forwarder so you can try out advanced routing techniques.

0 Karma
Reply

Esky73
Builder
‎02-14-2017 02:56 PM

Thanks Lucas,

For Clarification :

If i don't need 2 x SH at this stage - and therefore no deployer.
If a deployer was required then i'd have to install splunk in a new location if i was using the same box eg /opt/splunk_shc and i would need to change the ports ?

So the LM, CM and deployment server can all co-exist on the one box with no port adjustments - they can all use the mgmt port 8089 ?

0 Karma
Reply

nickhills
Ultra Champion
‎02-14-2017 11:01 PM

Yes, LM and CM are just "features" of the main Splunk Enterprise install and simply need to be "enabled" - (as are DM and Deployer too for that matter)

You will therefore only need one splunk install for all 4 of these services to work (albeit not best practice)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎02-13-2017 04:57 PM

In a lab, this should be more then sufficient.

However, for a SHC (search head cluster,) you need to have a minimum of 3 servers for the SHC to function properly. That being said, you can force a captain with two members, but its a manual process as described in the docs on : http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/SHCarchitecture

On a side note, in a production environment, you would want to separate the roles of these servers. Typically the CM and LM and coexist on lower spec machines (perfect for virtualization). The deployer and DS can also co-exist, however, depending upon the number of clients, having a dedicated DS is typically recommended.

Cheers
Eric

Reply

Esky73
Builder
‎02-13-2017 05:19 PM

Cheers Eric .. yep aware of the prod requirements - thanks for the SHC tip.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...