Splunk® Enterprise

Updating Splunk Enterprise Instances

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Deploy in multi-tenant environments

Note: This feature has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.

Important: It is recommended that you work with Splunk Professional Services when designing a multi-tenant deployment.

A multi-tenant deployment server topology means that you have more than one deployment server running on the same Splunk Enterprise instance, and each deployment server is serving content to its own set of deployment clients. (You can also achieve the same effect by using two instances, each with its own configuration.)

Use tenants.conf to redirect incoming requests from deployment clients to another deployment server or servers. The typical reason for doing this is to offload splunkd's HTTP server -- if too many deployment clients are simultaneously hitting the splunkd HTTP server to download apps and configurations, it can overload the deployment server. Over 400 connections at one time has been shown to bog down splunkd's HTTP server, but this does not take into account hardware or the size of the package the client is downloading.

To set up multiple deployment servers on a single instance, you:

  • Create a tenants.conf containing a whitelist or blacklist that tells deployment clients which deployment server instance to use.
  • Create a separate instance of serverclass.conf for each deployment server, named for that deployment server, like so: <tenantName>-serverclass.conf.
  • For each deployment client, configure deploymentclient.conf the way you would if there were just one deployment server.

What you can define in tenants.conf

You identify the different deployment servers as "tenants" in tenants.conf on the instance that will host these deployment servers. There isn't a tenants.conf file by default, so you must create one in $SPLUNK_HOME/etc/system/local and define the tenants in it.

For each tenant, create a stanza with the heading [tenant:<tenantName>] with these attributes:

Attribute What it's for Default
filterType Set to whitelist or blacklist. Determines the type of filter to use. Deployment clients use the filter to determine which deployment server to access. whitelist


<n> is a number starting at 0, and incrementing by 1. The client stops looking at the filter when <n> breaks.

Set the attribute to one of these value categories:

  • ipAddress: The IP address of the deployment client. You can use wildcards, for example, 10.1.1.*
  • hostname: The host name of deployment client. You can use wildcards, for example, *.splunk.com
  • clientName: A logical, or tag, name that can be assigned to a deployment client in deploymentclient.conf. A clientName takes precedence over ipAddress or hostname when matching a client to a filter.


Here is an example of defining two tenants in the tenants.conf file:

# Define two tenants - dept1 and dept2.
# Deployment server configuration for dept1 will be in a matching dept1-serverclass.conf
# Deployment server configuration for dept2 will be in a matching dept2-serverclass.conf



Compatibility and forwarder management
Extended example: Deploy configurations to several forwarders

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters