Configure a Splunk Deployment Server
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure a Splunk Deployment Server
A deployment server sends configuration changes to deployment clients. Configurations are stored in bundle directories divided by server class. To configure server classes, read configuring server classes.
Any Splunk instance can be a deployment server. First, install Splunk on the server. Then, configure settings via deployment.conf.
Configuration
First, create a deployment.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle directory).
The first stanza in deployment.conf looks like this:
[distributedDeployment] serverClassPath=$SPLUNK_HOME/etc/modules/distributedDeployment/classes
serverClassPath=$SPLUNK_HOME/etc/modules/distributedDeployment/classes
- This is the path to server class configurations.
- Defaults to
$SPLUNK_HOME/etc/modules/distributedDeployment/classes. - Do not change the default, unless you decide to store your server class configurations in a different directory.
Next, configure server classes. The server class stanza looks like:
[distributedDeployment-classMaps] $IP_RANGE1 | $DNS1 = $SERVER_CLASSA, $SERVER_CLASSB $IP_RANGE2 | $DNS2 = $SERVER_CLASSC
Finally, set server parameters for either multicast or polling. You must stick with either multicast or polling on both the client and server side.
multicast
A stanza for multicast looks like this:
[distributedDeployment-multicast] sendMulticast=true multicastURI=<IP:PORT> interfaceIP=<IP> frequency=<integer> useDNS=<true/false>
[distributedDeployment-multicast]
- Set multicast configuration options under this stanza name.
- Follow this stanza name with any number of the following attribute/value pairs.
- If you do not specify an entry for each attribute, Splunk will use the default value.
sendMulticast = <true/false>
- To use multicast, set this to true.
- Defaults to false.
multicastUri = <IP:Port>
- What multicast group to send to.
- Only used if 'sendMulticast = true'.
- Multicast is disabled if this field is not set.
- No default.
interfaceIP = <IP Address>
- Optional setting.
- The IP address of the interface to send multicast packets on.
- Defaults to whatever the kernel picks (usually sufficient).
frequency = <integer>
- How often (in seconds) to send multicast packets.
- Defaults to 30 seconds.
useDNS = <true/false>
- Optional setting.
- Look up host name.
- Defaults to false.
polling
A stanza for polling looks like this:
[distributedDeployment-multicast] sendMulticast=false
sendMulticast=false
- Set this to false to enable polling.
NOTE: With polling, most configurations are set on the client side.
Example
Here are two different example deployment.conf files. Configure your deployment.conf and place it in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
multicast
Here's a basic config, enabled for multicast:
[distributedDeployment] serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes [distributedDeployment-multicast] sendMulticast=true multicastUri=225.0.0.39:9999 [distributedDeployment-classMaps] www.* = web,apache 10.1.1.2* = osx
polling
Here's the same basic config, but enabled for polling:
[distributedDeployment] serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes [distributedDeployment-multicast] sendMulticast=false [distributedDeployment-classMaps] www.* = web,apache 10.1.1.2* = osx
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.