Splunk® Enterprise

Updating Splunk Enterprise Instances

About agent manager and agent management

Important: Before reading this manual, you should be familiar with the fundamentals of Splunk Enterprise distributed deployment, as described in the Distributed Deployment Manual.

Splunk Enterprise provides the agent manager, with its agent management interface, to manage the update process across distributed instances of Splunk Enterprise.

What is agent manager?

The agent manager is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk Enterprise components: forwarders, non-clustered indexers, and search heads.

The agent manager is just a Splunk Enterprise instance that has been configured to manage the update process across sets of other Splunk Enterprise instances. Depending on the number of instances it's deploying updates to, the agent manager instance might need to be dedicated exclusively to managing updates. For more information, read Plan a deployment.

The agent manager handles configuration and content updates to existing Splunk Enterprise installations. You cannot use it for initial or upgrade installations of Splunk Enterprise or the universal forwarder. To learn how to install and deploy Splunk Enterprise, see Step-by-step installation procedures for full Splunk Enterprise and Install the universal forwarder software for the Splunk Enterprise universal forwarder. To learn how to upgrade your deployment to a new version of Splunk Enterprise, see Upgrade your distributed Splunk Enterprise deployment in the Installation Manual.

Is agent manager mandatory?

Agent manager is not required for managing forwarders and other Splunk Enterprise instances. If you prefer, you can use a third-party tool, such as Chef, Puppet, Salt, or one of the Windows configuration tools.

What is agent management?

agent management is a graphical interface built on top of agent manager that provides an easy way to configure the agent manager and monitor the status of deployment updates. Although its primary purpose is to manage large groups of forwarders, you can use agent management to configure the agent manager for any update purposes, including managing and deploying updates to non-clustered indexers and search heads. For most purposes, the capabilities of agent management and the agent manager are identical. For more information, see Agent management overview.

Important: If you are upgrading from a pre-6.0 version of the deployment server, your existing serverclass.conf file might not be compatible with the agent management interface. This is because agent management can handle only a subset of the configurations possible through serverclass.conf. In some cases, you might need to continue to work directly with serverclass.conf, rather than switching to agent management as your configuration tool. For details on what configurations are compatible with agent management and how to handle agent manager upgrades, see the topic Compatibility and agent management.

What the agent manager offers

The agent manager makes it possible to group Splunk Enterprise components by common characteristics and then distribute content based on those groups.

For example, if you've got Splunk Enterprise instances serving a variety of different needs within your organization, it's likely that their configurations vary depending on who uses them and for what purpose. You might have some instances serving the help desk team, configured with a specific app to accelerate troubleshooting of Windows desktop issues. You might have another group of instances in use by your operations staff, set up with a few different apps designed to track network issues, security incidents, and email traffic management. A third group of instances might serve the Web hosting group within the operations team.

Rather than trying to manage and maintain these divergent Splunk Enterprise instances one at a time, you can group them based on their use, identify the configurations and apps needed by each group, and then use the agent manager to update their apps and configurations when needed.

In addition to grouping Splunk Enterprise instances by use, there are other useful types of groupings you can specify. For example, you might group instances by OS or hardware type, by version, or by geographical location or timezone.

A key use case is to manage configurations for groups of forwarders. For example, if you have forwarders residing on a variety of machine types, you can use the agent manager to deploy different content to each machine type. The Windows forwarders can get one set of configuration updates; the Linux forwarders another, and so on.

Agent manager and clusters

You cannot use the agent manager to update indexer cluster peer nodes or search head cluster members.

Indexer clusters

Do not use agent manager or agent management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method. You can, however, use the agent manager to distribute updates to the manager node, which then uses the configuration bundle method to distribute them to the peer nodes. See Update common peer configurations in the Managing Indexers and Clusters of Indexers manual.

Search head clusters

Do not use agent manager to update search head cluster members.

The agent manager is not supported as a means to distribute configurations or apps to cluster members. To distribute configurations across the set of members, you must use the search head cluster deployer. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Last modified on 27 May, 2025
  Agent manager architecture

This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters