I am in the process of revamping our Splunk installation. This time around we are attempting to implement a more distributed system.
In the past we have had a single server running everything, indexing, searching, deployment services, etc. Currently I have a system setup running the Indexer, KV Store, License Master, and Search Head and another running the Deployment Server and Distributed Management Console. Indexing will be off loaded to other indexers as the buildout progresses.
With the deployment server on a separate system, I am confused trying to following scenario.
I have created a deployment application directly in the filesystem to configure the Universal Forwarders to forward data to the indexer. This is working as expected.
Then to setup data imports, I login to the system running the deployment server, click 'Settings', 'Data Inputs', under Forwarded Inputs 'Files & Directories', 'Add new'. I progress through the wizard until asked about the index. I can not see the indexes that were created on the other system.
If I use the same process on the Search Head/Indexer, the first page of the wizard gives me a "There are currently no forwarders configured as deployment clients to this instance."
This all leads me to believe I am using the system incorrectly. While the documentation goes thru how to setup everything, it doesn't really cover what instance you should do what functions under. It seems to me the %SPLUNK_HOME/etc/deployment-apps should be shared between systems, so the deployment server has them to deploy and the other systems have it to be configured via the web interface.
Any help in clearing this up will be greatly appreciated.
Thank you in advance,
Jeremy
↧