About deployment server
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
About deployment server
Splunk deployments range in size from departmental, single server installations, where one Splunk instance handles all tasks ranging from data input to indexing to search and reporting, to enterprise distributed deployments with data flowing between thousands of instances of Splunk forwarders, indexers, and search heads. Splunk provides valuable tools to handle distributed deployments of any size. Chief among them is the Splunk deployment server and its features.
The deployment server is Splunk's technology for pushing out configurations and content to distributed Splunk instances. A key use case for the deployment server is to manage configuration for groups of forwarders. For example, if you have several sets of forwarders, each set residing on a different machine type, you can use the deployment server to push out different content according to machine type. Similarly, in a distributed search environment, you can use a deployment server to push out content to sets of indexers. If you want an overview of the different ways you can design a Splunk deployment in your organization, check out the deployment information in the Community Wiki.
The first several topics in this section explain how to configure a deployment server and its clients. Topics then follow that show how to employ this technology for specific use cases.
The big picture (in words and diagram)
In a Splunk deployment, you use a deployment server to push out content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes.
A deployment server is a Splunk instance that acts as a centralized configuration manager, collectively managing any number of Splunk instances, called "deployment clients". Any Splunk instance -- even one indexing data locally -- can act as a deployment server.
A deployment client is a Splunk instance remotely configured by a deployment server. A Splunk instance can be both a deployment server and client at the same time. Each Splunk deployment client belongs to one or more server classes.
A server class is a set of deployment clients, grouped by some set of configuration characteristics, so that they can be managed as a unit. You can group clients by application, OS, type of data, or any other feature of your Splunk deployment. To update the configuration for a set of clients, the deployment server pushes out configuration files to all or some members of a server class. Besides configuration settings, you can use the deployment server to push out any sort of content. Server classes are configured on the deployment server.
This diagram provides a conceptual overview of the relationship between a deployment server and its set of deployment clients and server classes:
In this example, each deployment client is a Splunk forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to forward to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy several standard forwarders".
A deployment app is a set of deployment content (including configuration files) deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Depending on filtering criteria, an app might get deployed to all clients in a server class or to a subset of clients. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk app, or one developed solely to group some content for deployment purposes.
Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk context. For more information on Splunk apps, see "What are apps and add-ons?".
For more information on deployment servers, server classes, and deployment apps, see "Define server classes". For more information on deployment clients, see "Configure deployment clients".
A multi-tenant environment means that you have more than one deployment server running on the same Splunk instance, and each deployment server is serving content to its own set of deployment clients. For information about multi-tenant environments, see "Deploy in multi-tenant environments".
Key terms
Here's a recap of the key definitions:
| Term | Meaning |
|---|---|
| deployment server | A Splunk instance that acts as a centralized configuration manager. It pushes configuration updates to other Splunk instances. |
| deployment client | A remotely configured Splunk instance. It receives updates from the deployment server. |
| server class | A deployment configuration shared by a group of deployment clients. A deployment client can belong to multiple server classes. |
| deployment app | A unit of content deployed to one or more members of a server class. |
| multi-tenant environment | A deployment environment involving multiple deployment servers. |
Communication between deployment server and clients
The deployment client periodically polls the deployment server, identifying itself. The deployment server then reviews the information in its configuration to find out if there is something new or updated to push out to that particular client. If there is new content to deploy to a given deployment client, the deployment server tells the client exactly what it should retrieve. The deployment client then retrieves the new content and treats it according to the instructions specified for the server class it belongs to--maybe it should restart, run a script, or just wait until someone tells it to do something else.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.