Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About deployment server

Important: The deployment server handles configuration and content updates to existing Splunk installations. You cannot use it to install or upgrade Splunk software components.

To learn how to install and deploy Splunk, see "Step-by-step installation procedures" for full Splunk and "Universal forwarder deployment overview" for the Splunk universal forwarder.

To learn how to upgrade your deployment to a new version of Splunk, see "Upgrade your deployment".

The deployment server is Splunk's tool for pushing out configurations, apps, and content updates to distributed Splunk instances. You can use it to push updates to any Splunk component: forwarder, indexer, or search head.

A key use case is to manage configuration for groups of forwarders. For example, if you have several sets of forwarders, each set residing on a different machine type, you can use the deployment server to push out different content according to machine type. Similarly, in a distributed search environment, you can use a deployment server to push out content to sets of indexers.

Important: Do not use deployment server to manage configuration files across peer nodes (indexers) in a cluster. Instead, use the configuration bundle method discussed in "Update common peer configurations" in the Managing Indexers and Clusters manual. You can, however, use deployment server to distribute updates to cluster search heads.

The first several topics in this section explain how to configure a deployment server and its clients. Topics then follow that show how to employ this technology for specific use cases.

The big picture (in words and diagram)

In a Splunk deployment, you use a deployment server to push out content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes.

A deployment server is a Splunk instance that acts as a centralized configuration manager, collectively managing any number of Splunk instances, called "deployment clients". Any full, enterprise Splunk instance -- even one indexing data locally -- can act as a deployment server.

A deployment client is a Splunk instance remotely configured by a deployment server. A Splunk instance can be both a deployment server and client at the same time. Each deployment client belongs to one or more server classes.

A server class is a set of deployment clients, grouped by configuration characteristics, managed as a unit. You can group clients by application, OS, type of data, or any other feature of your Splunk deployment. To update the configuration for a set of clients, the deployment server pushes configuration files to all or some members of a server class. Besides configuration files, you can push any sort of content. You configure server classes on the deployment server.

This diagram provides a conceptual overview of the relationship between a deployment server and its set of deployment clients and server classes:

Deployment2-small.png

In this example, each deployment client is a Splunk forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to push to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy several forwarders".

A deployment app is a set of deployment content (including configuration files) deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Depending on filtering criteria, an app might get deployed to all clients in a server class or to a subset of clients. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk app, or one developed solely to group some content for deployment purposes.

Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk context. For more information on Splunk apps in general, see "What are apps and add-ons?".

For more information on deployment servers, server classes, and deployment apps, see "Define server classes". For more information on deployment clients, see "Configure deployment clients".

Key terms

Here's a recap of the key definitions:

Term Meaning
deployment server A Splunk instance that acts as a centralized configuration manager. It pushes configuration updates to other Splunk instances.
deployment client A remotely configured Splunk instance. It receives updates from the deployment server.
server class A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes.
deployment app A unit of content deployed to one or more members of a server class or classes.
multi-tenant environment A deployment environment involving multiple deployment servers.

Communication between deployment server and clients

Each deployment client periodically polls the deployment server, identifying itself. The deployment server then determines whether it has new or updated content to push to that particular client. If there is content, the deployment server tells the client, which then retrieves the content and treats it according to the instructions for the server class it belongs to. Depending on those instructions, the client might restart, run a script, or wait for further instructions.

Lookup tables and deployment server

In some cases, your indexers or search heads might be running apps that save information in lookup tables. Be careful about using the deployment server to manage such instances. When the deployment server pushes an updated app configuration, it overwrites the existing app. At that point, you'll lose those lookup tables.

PREVIOUS
About Splunk Deployment Monitor App
  NEXT
Plan a deployment

This documentation applies to the following versions of Splunk® Enterprise: 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters