About deployment server
Contents
About deployment server
| Important: The deployment server handles configuration and content updates to existing Splunk installations. You cannot use it to install or upgrade Splunk software components.
To learn how to install and deploy Splunk, see "Step-by-step installation procedures" for full Splunk and "Universal forwarder deployment overview" for the Splunk universal forwarder. To learn how to upgrade your deployment to a new version of Splunk, see "Upgrade your deployment". |
The deployment server is Splunk's tool for pushing out configurations, apps, and content updates to distributed Splunk instances. You can use it to push updates to any Splunk component: forwarder, indexer, or search head.
A key use case is to manage configuration for groups of forwarders. For example, if you have several sets of forwarders, each set residing on a different machine type, you can use the deployment server to push out different content according to machine type. Similarly, in a distributed search environment, you can use a deployment server to push out content to sets of indexers.
Important: Do not use deployment server to manage configuration files across nodes in a cluster. Instead, use the configuration bundle method discussed in "Update common peer configurations" in the Managing Indexers and Clusters manual.
The first several topics in this section explain how to configure a deployment server and its clients. Topics then follow that show how to employ this technology for specific use cases.
The big picture (in words and diagram)
In a Splunk deployment, you use a deployment server to push out content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes.
A deployment server is a Splunk instance that acts as a centralized configuration manager, collectively managing any number of Splunk instances, called "deployment clients". Any full, enterprise Splunk instance -- even one indexing data locally -- can act as a deployment server.
A deployment client is a Splunk instance remotely configured by a deployment server. A Splunk instance can be both a deployment server and client at the same time. Each deployment client belongs to one or more server classes.
A server class is a set of deployment clients, grouped by configuration characteristics, managed as a unit. You can group clients by application, OS, type of data, or any other feature of your Splunk deployment. To update the configuration for a set of clients, the deployment server pushes configuration files to all or some members of a server class. Besides configuration files, you can push any sort of content. You configure server classes on the deployment server.
This diagram provides a conceptual overview of the relationship between a deployment server and its set of deployment clients and server classes:
In this example, each deployment client is a Splunk forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to push to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy several forwarders".
A deployment app is a set of deployment content (including configuration files) deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Depending on filtering criteria, an app might get deployed to all clients in a server class or to a subset of clients. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk app, or one developed solely to group some content for deployment purposes.
Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk context. For more information on Splunk apps in general, see "What are apps and add-ons?".
For more information on deployment servers, server classes, and deployment apps, see "Define server classes". For more information on deployment clients, see "Configure deployment clients".
A multi-tenant environment means that you have more than one deployment server running on the same Splunk instance, and each deployment server is serving content to its own set of deployment clients. For information about multi-tenant environments, see "Deploy in multi-tenant environments".
Key terms
Here's a recap of the key definitions:
| Term | Meaning |
|---|---|
| deployment server | A Splunk instance that acts as a centralized configuration manager. It pushes configuration updates to other Splunk instances. |
| deployment client | A remotely configured Splunk instance. It receives updates from the deployment server. |
| server class | A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes. |
| deployment app | A unit of content deployed to one or more members of a server class or classes. |
| multi-tenant environment | A deployment environment involving multiple deployment servers. |
Communication between deployment server and clients
Each deployment client periodically polls the deployment server, identifying itself. The deployment server then determines whether it has new or updated content to push to that particular client. If there is content, the deployment server tells the client, which then retrieves the content and treats it according to the instructions for the server class it belongs to. Depending on those instructions, the client might restart, run a script, or wait for further instructions.
Lookup tables and deployment server
In some cases, your indexers or search heads might be running apps that save information in lookup tables. Be careful about using the deployment server to manage such instances. When the deployment server pushes an updated app configuration, it overwrites the existing app. At that point, you'll lose those lookup tables.
This documentation applies to the following versions of Splunk: 5.0.2 , 5.0.3 View the Article History for its revisions.