Configure a Splunk deployment server
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure a Splunk deployment server
A Splunk deployment server sends configuration changes to deployment clients. Configurations are stored in directories divided by server class. To configure server classes, read configuring server classes.
Any Splunk instance can be a deployment server. First, install Splunk on the server. Then, configure settings via deployment.conf.
Edit deployment.conf
First, create a deployment.conf in $SPLUNK_HOME/etc/system/local/ (or your own custom directory).
Include the following as the first stanza in deployment.conf:
[distributedDeployment]
[distributedDeployment]
- Include this stanza header to load the deployment server module.
- Note: You must include this stanza header, even if you don't specify a
serverClassPath.
Optionally specify the path to the server class configurations:
[distributedDeployment]
serverClassPath=$SPLUNK_HOME/etc/modules/distributedDeployment/classes
- This is the path to server class configurations.
- Defaults to
$SPLUNK_HOME/etc/modules/distributedDeployment/classes. - Do not change the default, unless you decide to store your server class configurations in a different directory.
Next, configure server classes. The server class stanza looks like:
[distributedDeployment-classMaps] $IP_RANGE1 | $DNS1 = $SERVER_CLASSA, $SERVER_CLASSB $IP_RANGE2 | $DNS2 = $SERVER_CLASSC
Finally, set server parameters for either multicast or polling. You must stick with either multicast or polling on both the client and server side.
Specify communication over multicast
If your deployment server and all clients are on the same LAN, use multicast for communication among them.
A stanza for multicast looks like this:
[distributedDeployment-multicast] sendMulticast=true multicastURI=<IP:PORT> interfaceIP=<IP> frequency=<integer> useDNS=<true/false>
[distributedDeployment-multicast]
- Set multicast configuration options under this stanza name.
- Follow this stanza name with any number of the following attribute/value pairs.
- If you do not specify an entry for each attribute, Splunk will use the default value.
sendMulticast = <true/false>
- To use multicast, set this to true.
- Defaults to false.
multicastUri = <IP:Port>
- What multicast group to send to.
- Only used if 'sendMulticast = true'.
- Multicast is disabled if this field is not set.
- No default.
interfaceIP = <IP Address>
- Optional setting.
- The IP address of the interface to send multicast packets on.
- Defaults to whatever the kernel picks (usually sufficient).
frequency = <integer>
- How often (in seconds) to send multicast packets.
- Defaults to 30 seconds.
useDNS = <true/false>
- Optional setting.
- Look up host name.
- Defaults to false.
Specify communication by polling
If your deployment server and its clients are across multiple subnets, you must use polling for communication among them.
A stanza for polling looks like this:
[distributedDeployment-multicast] sendMulticast=false
sendMulticast=false
- Set this to false to enable polling.
NOTE: With polling, most configurations are set on the client side.
Example multicast configuration
Configure your deployment.conf and place it in $SPLUNK_HOME/etc/system/local/ or your own custom configuration directory.
Here's a basic config, enabled for multicast:
[distributedDeployment] serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes [distributedDeployment-multicast] sendMulticast=true multicastUri=225.0.0.39:9999 [distributedDeployment-classMaps] www.* = web,apache 10.1.1.2* = osx
Important: The multicastUri port, shown here as 9999, should be set to your splunkd or management port.
Example polling configuration
Configure your deployment.conf and place it in $SPLUNK_HOME/etc/system/local/ or your own custom configuration directory.
Here's the same basic config, but enabled for polling:
[distributedDeployment] serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes [distributedDeployment-multicast] sendMulticast=false [distributedDeployment-classMaps] www.* = web,apache 10.1.1.2* = osx
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.