Configure a Splunk Deployment Server

Configure a Splunk Deployment Server

A deployment server sends configuration changes to deployment clients. Configurations are stored in bundle directories divided by server class. To configure server classes, read configuring server classes.

Any Splunk instance can be a deployment server. First, install Splunk on the server. Then, configure settings via deployment.conf.

Configuration

First, create a deployment.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle directory).

The first stanza in deployment.conf looks like this:

[distributedDeployment]
serverClassPath=$SPLUNK_HOME/etc/modules/distributedDeployment/classes

serverClassPath=$SPLUNK_HOME/etc/modules/distributedDeployment/classes

• This is the path to server class configurations.
• Defaults to $SPLUNK_HOME/etc/modules/distributedDeployment/classes.
• Do not change the default, unless you decide to store your server class configurations in a different directory.

Next, configure server classes. The server class stanza looks like:

[distributedDeployment-classMaps]
$IP_RANGE1 | $DNS1 = $SERVER_CLASSA, $SERVER_CLASSB
$IP_RANGE2 | $DNS2 = $SERVER_CLASSC

Finally, set server parameters for either multicast or polling. You must stick with either multicast or polling on both the client and server side.

multicast

A stanza for multicast looks like this:

[distributedDeployment-multicast]
sendMulticast=true
multicastURI=<IP:PORT>
interfaceIP=<IP>
frequency=<integer>
useDNS=<true/false>

[distributedDeployment-multicast]

• Set multicast configuration options under this stanza name.
• Follow this stanza name with any number of the following attribute/value pairs.
• If you do not specify an entry for each attribute, Splunk will use the default value.

sendMulticast = <true/false>

• To use multicast, set this to true.
• Defaults to false.

multicastUri = <IP:Port>

• What multicast group to send to.
• Only used if 'sendMulticast = true'.
• Multicast is disabled if this field is not set.
• No default.

interfaceIP = <IP Address>

• Optional setting.
• The IP address of the interface to send multicast packets on.
• Defaults to whatever the kernel picks (usually sufficient).

frequency = <integer>

• How often (in seconds) to send multicast packets.
• Defaults to 30 seconds.

useDNS = <true/false>

• Optional setting.
• Look up host name.
• Defaults to false.

polling

A stanza for polling looks like this:

[distributedDeployment-multicast]
sendMulticast=false

sendMulticast=false

• Set this to false to enable polling.

NOTE: With polling, most configurations are set on the client side.

Example

Here are two different example deployment.conf files. Configure your deployment.conf and place it in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.

multicast

Here's a basic config, enabled for multicast:

[distributedDeployment]
serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes
 
[distributedDeployment-multicast]
sendMulticast=true
multicastUri=225.0.0.39:9999
   
[distributedDeployment-classMaps]
www.* = web,apache
10.1.1.2* = osx

polling

Here's the same basic config, but enabled for polling:

[distributedDeployment]
serverClassPath=/opt/splunk/etc/modules/distributedDeployment/classes
 
[distributedDeployment-multicast]
sendMulticast=false
   
[distributedDeployment-classMaps]
www.* = web,apache
10.1.1.2* = osx