#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Lab - Minimum servers

Esky73
Builder
‎02-13-2017 04:51 PM

Hi,

Creating a Splunk lab to play around with configurations etc ..

Will the following suffice - any gotchyas (ports etc) or can they all share the mgmt port on the deployer box :

2 x SH
2 x IDX
1 x Deployer consisting of - Deployer, deployment server, CM, LM (can they all co-exist)
2 x UF's

Cheers.

Tags (1)
0 Karma
Reply

Lucas_K
Motivator
‎02-14-2017 12:28 AM

All those will need their own ports as they will complain about it during start up. Splunkweb, splunkd, app port,kvstore ports should all be unique.

Also create individual host names in server.conf and inputs.conf. This servers two purposes.

  1. You can tell what is going on when you check internals.
  2. Distsearch requires unique names to work (it's used for the public key storing directory name).

Also perhaps throw in a heavy forwarder so you can try out advanced routing techniques.

0 Karma
Reply

Esky73
Builder
‎02-14-2017 02:56 PM

Thanks Lucas,

For Clarification :

If i don't need 2 x SH at this stage - and therefore no deployer.
If a deployer was required then i'd have to install splunk in a new location if i was using the same box eg /opt/splunk_shc and i would need to change the ports ?

So the LM, CM and deployment server can all co-exist on the one box with no port adjustments - they can all use the mgmt port 8089 ?

0 Karma
Reply

nickhills
Ultra Champion
‎02-14-2017 11:01 PM

Yes, LM and CM are just "features" of the main Splunk Enterprise install and simply need to be "enabled" - (as are DM and Deployer too for that matter)

You will therefore only need one splunk install for all 4 of these services to work (albeit not best practice)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎02-13-2017 04:57 PM

In a lab, this should be more then sufficient.

However, for a SHC (search head cluster,) you need to have a minimum of 3 servers for the SHC to function properly. That being said, you can force a captain with two members, but its a manual process as described in the docs on : http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/SHCarchitecture

On a side note, in a production environment, you would want to separate the roles of these servers. Typically the CM and LM and coexist on lower spec machines (perfect for virtualization). The deployer and DS can also co-exist, however, depending upon the number of clients, having a dedicated DS is typically recommended.

Cheers
Eric

Reply

Esky73
Builder
‎02-13-2017 05:19 PM

Cheers Eric .. yep aware of the prod requirements - thanks for the SHC tip.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...