Deployment implementation is the first step in a series of admininstration-related tasks that you must perform to take full advantage of Splunk Enterprise. This topic provides a broad outline of the typical post-deployment tasks, with links to the topics that cover these issues in detail.
Key manuals for a distributed deployment lists the manuals directly related to deployment. You have already encountered sections of these manuals during the deployment process. These same manuals cover post-deployment configuration and management issues. They will serve as an ongoing resource as you fine-tune your system, and you should familiarize yourself with their contents. In addition, other manuals provide guidance on improving and extending your system and fitting the system to the knowledge needs of your end users.
Do these next
These are some of the tasks that you should perform soon after you complete the initial deployment:
- Set up users and roles. See the chapter Users and role-based access control in Securing Splunk Enterprise.
- Read about Splunk Enterprise security. Look closely at the manual Securing Splunk Enterprise.
- Forward the search heads' internal data to their search peers. See Best practice: Forward search head data to the indexer layer in Distributed Search.
Increase the value of your deployment
Once your deployment is up and running and you have dealt with the basics, like security, you are ready to focus on your data: What data to ingest, how to ingest the data, and how to present the data so that your users can use it effectively.
Splunk Enterprise can handle virtually any kind of data. There is a lot to learn about the different types of data and how to configure them, including the important matters of source typing and event processing. For details on all matters related to data input, read Getting Data In. Be sure to study the material on source typing, beginning with Why source types matter.
Next, you need to develop the searches, reports, dashboards, and so on, that make the data valuable and accessible to your users. These objects are collectively known as knowledge objects. The Knowledge Manager Manual is your primary resource for this.
Splunk offers a wide range of pre-built apps that can do most of this work for you. They define data inputs, source types, knowledge objects, and other configurations. They offer you and your users ready-made solutions to many common and uncommon needs. For example, there are apps that monitor the security of your system and other apps for IT operations management. To learn more about, and to download, pre-built apps, see Splunkbase.
You can also create your own apps. See "Develop apps and add-ons for Splunk Enterprise" for guidance on developing apps.
Resources for administering your deployment
The Admin Manual provides guidance on other important tasks. In particular, see Splunk administration: The big picture. It provides links to topics, across a variety of manuals, that describe key administration tasks.
The monitoring console provides a variety of dashboards that you can use to monitor most aspects of the deployment. See Monitor your distributed deployment in this manual. In addition, see Monitoring Splunk Enterprise.
For information on internal log files and other tools for troubleshooting your deployment, see the Troubleshooting Manual.
Distribute apps and other configurations to groups of instances
Splunk Enterprise provides the deployment server to distribute apps and other sets of configurations to groups of Splunk Enterprise instances. This tool is of particular value for managing configurations on forwarders, but it can distribute updates to any Splunk Enterprise instance, including indexers and search heads. See Updating Splunk Enterprise Instances.
To update the nodes on clusters, you do not use the deployment server. Instead, clusters use their own tools:
- In an indexer cluster, the cluster manager distributes updates to peer nodes. See Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.
- In a search head cluster, the deployer distributes updates to cluster members. See Use the deployer to distribute apps and configuration updates in Distributed Search.
You can also use third-party tools to distribute updates.
The rest of the Splunk universe
Splunk Enterprise is only one world in the Splunk universe. Other products include:
- Splunk Cloud for cloud-based access to the features of Splunk Enterprise.
- Splunk Analytics for Hadoop for data exploration, analysis and visualizations for Hadoop, NoSQL, and other data stores.
- A variety of apps and add-ons for extending the capabilities of Splunk Enterprise.
High availability deployment: Indexer cluster
Monitor your distributed deployment
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 9.0.3