Splunk® Enterprise

Updating Splunk Enterprise Instances

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About deployment server and forwarder management

Important: Before reading this manual, you should be familiar with the fundamentals of Splunk Enterprise distributed deployment, as described in the Distributed Deployment Manual.

Splunk Enterprise provides the deployment server, with its forwarder management interface, to manage the update process across distributed instances of Splunk Enterprise.

What is deployment server?

The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk Enterprise components: forwarders, non-clustered indexers, and search heads.

The deployment server is just a Splunk Enterprise instance that has been configured to manage the update process across sets of other Splunk Enterprise instances. Depending on the number of instances it's deploying updates to, the deployment server instance might need to be dedicated exclusively to managing updates. For more information, read "Plan a deployment".

The deployment server handles configuration and content updates to existing Splunk Enterprise installations. You cannot use it for initial or upgrade installations of Splunk Enterprise or the universal forwarder. To learn how to install and deploy Splunk Enterprise, see "Step-by-step installation procedures" for full Splunk Enterprise and "Universal forwarder deployment overview" for the Splunk Enterprise universal forwarder. To learn how to upgrade your deployment to a new version of Splunk Enterprise, see "Upgrade your deployment".

What is forwarder management?

Forwarder management is a graphical interface built on top of deployment server that provides an easy way to configure the deployment server and monitor the status of deployment updates. Although its primary purpose is to manage large groups of forwarders, you can use forwarder management to configure the deployment server for any update purposes, including managing and deploying updates to non-clustered indexers and search heads. For most purposes, the capabilities of forwarder management and the deployment server are identical. For more information, see "Forwarder management overview".

Important: If you are upgrading from a pre-6.0 version of the deployment server, your existing serverclass.conf file might not be compatible with the forwarder management interface. This is because forwarder management can handle only a subset of the configurations possible through serverclass.conf. In some cases, you might need to continue to work directly with serverclass.conf, rather than switching to forwarder management as your configuration tool. For details on what configurations are compatible with forwarder management and how to handle deployment server upgrades, see the topic "Compatibility and forwarder management".

What the deployment server offers

The deployment server makes it possible to group Splunk Enterprise components by common characteristics and then distribute content based on those groups.

For example, if you've got Splunk Enterprise instances serving a variety of different needs within your organization, it's likely that their configurations vary depending on who uses them and for what purpose. You might have some instances serving the help desk team, configured with a specific app to accelerate troubleshooting of Windows desktop issues. You might have another group of instances in use by your operations staff, set up with a few different apps designed to track network issues, security incidents, and email traffic management. A third group of instances might serve the Web hosting group within the operations team.

Rather than trying to manage and maintain these divergent Splunk Enterprise instances one at a time, you can group them based on their use, identify the configurations and apps needed by each group, and then use the deployment server to update their apps and configurations when needed.

In addition to grouping Splunk Enterprise instances by use, there are other useful types of groupings you can specify. For example, you might group instances by OS or hardware type, by version, or by geographical location or timezone.

A key use case is to manage configurations for groups of forwarders. For example, if you have forwarders residing on a variety of machine types, you can use the deployment server to deploy different content to each machine type. The Windows forwarders can get one set of configuration updates; the Linux forwarders another, and so on.

Important: Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in a cluster. Instead, use the configuration bundle method discussed in "Update common peer configurations" in the Managing Indexers and Clusters of Indexers manual. You can, however, use deployment server to distribute updates to cluster search heads.

Deployment server architecture

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Triest: <br /><br />I was not aware that Support had made that a requirement. In fact, the documentation states here that you should be able to co-locate the deployment server with an indexer or a search head if servicing under 50 clients:<br /><br />http://docs.splunk.com/Documentation/Splunk/latest/Updating/Calculatedeploymentserverperformance<br /><br />If a change has been made to our requirements, it must be a very recent change, as that page was vetted, by Support among others, at the time that 6.0 was released last year.<br /><br />I will forward your comment and email information to the relevant product manager and ask him to contact you directly concerning this matter.<br /><br />Thank you.

May 20, 2014

Just a clarification, under What is deployment server? it states "Depending on the number of instances it's deploying updates to, the deployment server instance might need to be dedicated exclusively to managing updates. "<br /><br />Splunk support has told us that the configuration server must be dedicated or it is an unsupported configuration. The justification is port contention on 8089.<br /><br />We were quite surprised to be told that (especially since professional services setup our environment with a shared search head deployment server), so I thought I'd try and save others the headache.

May 20, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters