• How Splunk Works
  • How Splunk Works
    • About Splunk
    • Indexing
    • User interaction
    • Users and access controls
    • Distributed deployments
    • Configuration
    • SplunkBase
    • Developer APIs and integration features
    • Licensing
• Getting Started
  • About the getting started section
  • Installation
  • Administration Basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Start Splunk for the first time
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
    • Get help configuring your sources
  • Add more users
    • User roles
    • Splunk local users
    • LDAP
• Configuring a Splunk Deployment
  • Choose a Deployment Model
    • Single server
    • Distributed input
    • Distributed indexing
    • Data redundancy
    • Partitioning
    • Forwarding to non-Splunk systems
    • LDAP integration
  • Decide how Splunk should index your data
    • Create additional indexed fields
    • Tweak default processing
    • Mask sensitive data
    • Change indexing density
    • Eliminate processing steps
    • Filter and route data
  • Install Splunk on every host
  • Configure the forwarding servers
    • Define server classes
    • Inputs
    • Processing properties
    • Data distribution
    • Data policy
    • Authentication
  • Set up the deployment server
    • Configure the deployment server
    • Set up deployment classes
  • Start Splunking
• Data Inputs
  • How input configuration works
    • Data input types
    • Indexing properties
  • Configure inputs via SplunkWeb
    • Configuration
    • Files and directories
    • FIFO queues
    • Network ports
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
    • Examples
  • Scripted inputs
    • Configuration
    • Example
  • File whitelisting / blacklisting
    • Configuration
    • Example
    • Verification tool
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via SplunkWeb
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via SplunkWeb
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
  • Host name configuration examples
    • Setting host through inputs.conf
    • Setting host through transforms.conf and props.conf
• Source Types
  • How source types work
    • Sources and source types
    • How sourcetype:: values are set
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via SplunkWeb
    • via configuration files
  • Set a source type for a source
    • via configuration files
  • Train Splunk on a sourcetype
    • via the CLI
  • Create an alias for a source type
    • via SplunkWeb
• Timestamp Recognition
  • How Splunk recognizes timestamps
    • Timestamp precedence
    • Configuration files for timestamps
  • Configure Splunk to recognize a timestamp
    • Positional timestamp extraction
    • Specify timestamp format
    • Set time zone
    • Set Splunk to use the European date format
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
  • Tune Timestamping
    • Turn off timestamp lookahead
• Events
  • How events work
    • Event or event type
    • How event recognition works
    • Configuration files for event boundaries
  • Large events
  • Multiline events
    • Configuration
    • Examples
  • Mask sensitive data in an event
    • Configuration
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Auto-discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Configure auto-discovery
    • Configuration
    • Example
  • punct::
  • Save event types via SplunkWeb
    • Configuration
    • Example
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Considerations for event types in distributed environments
• Meta Events
  • How meta events work
    • Transitive meta events
    • Configuration files for meta events
  • Configure meta events
    • Configuration
    • Examples
• Fields
  • How fields work
    • Search fields vs extracted fields
    • Disable fields entirely
    • Configuration files for fields
  • Define additional extracted fields
    • Configuration
    • Example
  • Field actions
    • Configuration
• Segmentation
  • How segmentation works
    • Configuration files for segmentation
• Saved Searches and Alerts
  • How saved searches work
    • Saved searches
    • Alerting
  • Set up saved searches
    • via SplunkWeb
    • via configuration files
  • Set up Alerts
    • via SplunkWeb
    • via configuration files
    • Script options
  • Send SNMP traps
    • Configuration
  • Send syslog events
    • Configuration
    • Example
  • Considerations for saved searches and alerts in a distributed environment
• Authentication
  • How authentication works
  • SSL
    • Configuration
    • SSL for SplunkWeb
  • Set up users
  • Set up LDAP
    • Configure your Authentication Strategy via SplunkWeb
    • Configure Splunk to use your LDAP server
    • Determine your User and Group Base DN
    • Map existing LDAP groups to Splunk Roles
    • Test your LDAP configuration
    • Sample configurations
• Data Distribution
  • How data distribution works
    • Data forwarding
    • Data routing
    • Data cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lite-weight forwarding and routing
  • Set up routing
    • Configuration
    • Examples
  • Route data to third-party systems
    • Configuration
    • Example
  • Enable cloning
  • Set up SSL
    • Forwarder
    • Receiver
  • Set up data balancing
    • Configuration
    • Example
  • Filtering and routing
    • Configuration
    • Example
  • Filter data before forwarding
  • Route specific events to an alternate index
    • Configuration
    • Example
• Granular Access Control
  • How Granular Access Control works
    • Configuration files for access controls
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via SplunkWeb
  • Enable distributed search via the CLI
    • Configuration
  • Configuration files for distributed search
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Create a deployment server
    • Configuration
    • Examples
  • Configure deployment clients
    • Enable the client and server
    • Sync the server and client
  • Configuration changes after initial deployment
  • Using Splunk with 3rd Party configuration management systems
• Index Management
  • How Index Management Works
    • Data management
    • Configuration files for index management
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restoring archived data
    • Restoring a copied index archive
  • Configuration files for data policy
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
  • Reducing Index Density
  • Delete data from the index
    • Delete everything
    • Delete a subset of events
• Bundles
  • What are Bundles?
  • Bundle directory structure
  • Bundle precedence
  • Bundle best practice
    • Testing bundles
• SplunkBase
  • Why use SplunkBase?
  • Sharing add-ons on SplunkBase
    • Creating Add-ons
    • Best practices for making add-ons containing Splunk configuration
    • Submit your add-on
  • Finding and downloading add-ons on SplunkBase
    • Implementing add-ons from SplunkBase
  • Looking up events on SplunkBase
    • Configuration
  • Security and privacy considerations
  • Control user access to SplunkBase
• Performance Tuning
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • eventdiscoverer.conf
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Tuning indexes.conf
    • Tuning props.conf
    • Make SplunkWeb search faster
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • Network utilization
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Virtual machines
• Routine Maintenance
  • System backups
    • Backups in 3 Easy Steps
  • Monitoring Splunk
    • via SplunkWeb
• How-To
  • Harden a Splunk server
  • Secure network connections
  • Restore a failed server
  • Add or Remove an index
    • Create an index
    • Delete an index
  • Move an index
    • Configuration
  • Change data policy to recover space
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Public server setup
  • Determine daily volume
  • Set up auto-refresh
  • Upgrade your license for more data
  • How to use Splunk 2 Nagios
    • What Nagios logs
    • Install the Splunk2Nagios integration
  • Restore a blocked license
  • Customize the built-in help module
  • Configure GUI Timeout
  • Configure the Get Started module
  • Disable SplunkWeb
    • Edit web.conf
    • Run the disable command
    • Re-enable SplunkWeb
  • Place Splunk behind a web proxy
    • Scenario:
    • Solution:
  • Configure OPSEC LEA Input
    • Installation
    • Checkpoint Modification
    • Configuration
  • Cancel Search
  • Reconstitute Logs
    • Export event data
    • CLI search
  • Strip syslog headers before processing
  • Enable HTTPS
    • configuration
• Troubleshooting
  • Splunkd is down
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • Cannot access License & Usage tab
    • I installed my license in a Preview release and now it doesn't work!
  • Contact Support
    • Work with Splunk Support
    • Log levels and starting in debug mode
• Reference
  • Splunk CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Configuration file list
  • access_controls.conf
    • access_controls.conf.spec
  • alert_actions.conf
    • alert_actions.conf.spec
  • auth.conf
    • auth.conf.spec
  • deployment.conf
    • deployment.conf.spec
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
  • eventtypes.conf
    • eventtypes.conf.spec contents
  • field_actions.conf
    • field_actions.conf.spec
  • indexes.conf
    • indexes.conf.spec
  • inputs.conf
    • inputs.conf.spec
  • metaevents.conf
    • metaevents.conf.spec
  • outputs.conf
    • outputs.conf.spec
  • prefs.conf
    • prefs.conf.spec
  • props.conf
    • props.conf.spec
  • savedsearches.conf
    • How to read a savedsearches.conf file
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.spec
  • server.conf
    • server.conf.spec
  • transforms.conf
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.spec
  • web.conf
    • web.conf.spec

How the deployment server works

Please note: If you want an overview of deployment, please read the configuring a Splunk deployment section first.

A deployment server is an instance of Splunk that acts as a centralized configuration manager, allowing any number of Splunk servers to be grouped together and managed collectively. Any Splunk instance can be a deployment server, including those that are also indexing data. There can be multiple deployment servers servicing hundreds or thousands of client servers.

Each deployment server must be configured to handle one or more unique server classes. These classes share common configuration definitions and can be managed as a unit. A Splunk instance may be a member of multiple server classes at once.

Deployment servers can deploy bundles as well, as long as the deployment client can handle dynamic configuration when the bundle it is interested in changes. This could include LDAP mapping information, user access controls, etc.

Please note: currently, scripted inputs do not get bundled in the deployment server. In the future, Splunk will support this behavior. For now, please use your preferred configuration automation tool to push your script directory to your server classes.

Communication between deployment server and client

Splunk servers that are remotely configured by deployment servers are called deployment clients. A Splunk instance can be both a deployment server and client at the same time. In general, the system implements the pull model of deployment, where each deployment client pulls its configuration from a deployment server when it senses that there is a difference between the configuration that it currently has and the one on the deployment server.

There are two different ways clients can sense configuration changes.

1. UDP Multicast. The deployment server can be configured to send multicasts of a set of doubles containing the server class name and a configuration bundle's CRC for each server class that it is in charge of deploying. Deployment clients can be configured to listen to the IP and port that the deployment server is multicasting on. They can also specify the interface if needed, otherwise the kernel will select one as the default.
2. Deployment Client Polling. The deployment client can be configured to periodically poll the deployment server, asking it for the server class/CRC pairs that the client is a member of.

Deployment clients that are configured to use multicast do not need any additional configuration parameters to handle multiple deployment servers, but deployment clients that use polling need to be configured with the URI of each deployment server.

Detecting configuration changes

When a deployment client is first run, it looks in its configuration directory and calculates a CRC for each server class configuration bundle that it finds. This pair of server class name and CRC is stored in memory for purposes of later comparison.

Every deployment client automatically becomes a member of 2 server classes, default and its hostname. In the case of 'default', this allows the administrator to target all deployment clients without having to specifically set a name for them. The 'hostname' server class is determined at deployment client startup time by asking for the fully qualified host name of the machine from the DNS server. If the word 'localhost' appears anywhere in the name, the host name class is not set for this server. This server class allows for deploying bundles to individual machines if desired.

If the deployment client senses a configuration change for a server class that it's a member of, it sleeps a random number of seconds between 0 and 30 and then asks the deployment server for a tarball copy of the configuration bundle (using SSL/SOAP on the deployment server's management port). Note that random sleeping is used so that the deployment server doesn't get overwhelmed with too many concurrent requests when a large deployment change has taken place.

In version 3.0 Beta, once the tarball is received, the client moves the previous bundle into a sub directory and then restarts the server.

In 3.0GA and beyond, once the bundle tarball is received, the client moves the previous bundle into a sub directory and then kicks its Splunk instance. This action causes all processors and modules which support the bundle to reload their configuration information without restarting splunkd. If the configuration change requires a system restart, the system will be restarted. If the configuration fetch and kick procedure completed without issue and a restart did not happen, an event is generated to that effect. This event will be indexed by whatever indexer the deployment client is sending data to. In this way, a system administrator can use Splunk to see if all deployments worked properly at any point in time. If the configuration fetch and kick procedure did not work properly, the previous configuration bundle(s) are restored and an event detailing this is sent to the indexer.

How the deployment server keeps track of its clients

The deployment server keeps track of which bundle configuration each client is currently running and which server classes each client is a member of. Because the deployment server uses the pull model, each client must tell the server which version it's using.

Here is a step-by-step description of the process:

• The deployment server boots up:
  • it sets a 'phone home' flag in the multicast packet for 10 multicast sessions (multiple times because UDP multicast is a non-reliable transport).
• Any client that receives the packet containing the flag sends back to the deployment server:
  • the timestamp of each class bundle.
  • a list of server classes that it's a member of.

A client that just sent its info back to the server will not respond to any more of these packets unless the server explicitly sets the flag again, the server is restarted, or the client is restarted. If a client is not listening to multicast because it's not configured to do so, every poll sent to the deployment server contains the same information. If a client comes up and the multicast packet doesn't include the 'phone home' flag, the very first time it hears any multicast packet, it sends its info back to the server. This behavior ensures that newly joined clients are kept track of as well.

If the deployment server has been configured to assign classes to a given host or IP address specifier, the response to the 'phone home' call will include this list of classes. Upon receiving this list, the client will restart itself with the new classes.

Configuration files for deployment server

Both deployment servers and clients are configured in deployment.conf.