Best Prac:ces + New Feature Overview for the Latest Version of Splunk Deployment Server

Similar documents
Faster Splunk App Cer=fica=on with Splunk AppInspect

Real Time Monitoring Of A Cloud Based Micro Service Architecture Using Splunkcloud And The HTTP Eventcollector

DB Connect Is Back. and it is better than ever. Tyler Muth Denis Vergnes. September 2017 Washington, DC

Onboard Data into Splunk, Correctly

Measuring HEC Performance For Fun and Profit

Search Language - Beginner Mitch Fleischman

Tightly Integrated: Mike Cormier Bill Thackrey. Achieving Fast Time to Value with Splunk. Managing Directors Splunk Architects Concanon LLC

Architecting Splunk For High Availability And Disaster Recovery

Time ACer Time Comparing Time Ranges in Splunk Lisa Guinn

Data Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC

Search Language Intermediate Lincoln Bowser

Create Dashboards that People Love

Docker and Splunk Development

Next Generation Dashboards

Running Splunk Enterprise within Docker

Scaling Indexer Clustering

Indexer Clustering Internals & Performance

Introducing Splunk Validated Architectures (SVA)

Understanding Splunk AcceleraGon Technologies David Marquardt

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Using Web Logs in Splunk to Dynamically Create Synthe:c Transac:on Tests

Listen To The Wind, It Talks Monitoring Wind Energy Produc=on From SCADA Systems

Bring Context To Your Machine Data With Hadoop, RDBMS & Splunk

GeIng Deeper Insights into your and Storage with Splunk

Dashboard Time Selection

Infrastructure Analy=cs: Driving Outcomes through Prac=cal Uses and Applied Data Science at Cisco

The Power of Data Normalization. A look at the Common Information Model

Search Head Clustering Basics To Best Practices

Making the Most of the Splunk Scheduler

Integrating Splunk with AWS services:

Building Your First Splunk App with the Splunk Web Framework

Monitoring Docker Containers with Splunk

Atlassian s Journey Into Splunk

FFIEC Cybersecurity Assessment Tool

Dashboard Wizardry. Advanced Dashboard Interactivity. Siegfried Puchbauer Principal Software Engineer Yuxiang Kou Software Engineer

Visualizing the Health of Your Mobile App

Oracle VM Workshop Applica>on Driven Virtualiza>on

Squeezing all the Juice out of Splunk Enterprise Security

Data Models for Developers

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

Metrics Analysis with the Splunk Platform

Need for Speed: Unleashing the Power of SecOps with Adaptive Response. Malhar Shah CEO, Crest Data Systems Meera Shankar Alliance Manager, Splunk

From Continuous Integration To Continuous Delivery With Jenkins

Using Splunk Enterprise To Optimize Tailored Long-term Data Retention

CLOUD SERVICES. Cloud Value Assessment.

Indexer Clustering Fixups

Monitoring IPv6 Content Accessibility and Reachability. Contact: R. Guerin University of Pennsylvania

Con$nuous Deployment with Docker Andrew Aslinger. Oct

A Trip Through The Splunk Data Ingestion And Retrieval Pipeline

Copyright 2013 Splunk Inc. Hardening Splunk. Alex Eisen Chief Security Expat R&D Eng / Product Security #splunkconf

Straight Talk on Business Critical Applications in the Cloud

Dashboards & Visualizations: What s New

Centrify for Splunk Integration Guide

z Systems Sandbox in the cloud A New Way to Learn

Dragons and Splunk Do Not Do Well In Captivity

Inside Secrets From Support- How to Solve the Top 10 Support Issues

Introduc)on to Compu)ng. Heng Sovannarith

Bringing Sweetness to Sour Patch Tuesday

Replication of summary data in indexer cluster

Best Practices and Better Practices for Users

How to sleep *ght and keep your applica*ons running on IPv6 transi*on. The importance of IPv6 Applica*on Tes*ng

Data Obfuscation and Field Protection in Splunk

Engaging Employees and Customers with Video. The Benefits of Corporate Webcas3ng

ThinManager and FactoryTalk View SE. John Ter8n; ESE, Inc.

Strategies for Selecting the Right Open Source Framework for Cross-Browser Testing

Best Practices and Pitfalls for Building Products out of OpenDaylight

BOMGAR.COM BOMGAR VS. WEBEX UPDATED: 2/28/2017

Modernizing InfoSec Training and IT Operations at USF

Oracle Mul*tenant. The Bea'ng Heart of Database as a Service. Debaditya Cha9erjee Senior Principal Product Manager Oracle Database, Product Management

IntegraBng Splunk Data and FuncBonality Using the Splunk SDK for Java

Islands of Splunk. MulJple Splunk as a Service Architecture and ImplementaJon

IRODS USER GROUP 2014 CAMBRIDGE,MA John Burns. 6/25/14 Archive Analy3cs Solu3ons 1

Tracking Logs at Zillow with Lookups & JIRA

Database Machine Administration v/s Database Administration: Similarities and Differences

Internet2 Webinar: Confluence BoF. April 28, 2009

COSC 310: So*ware Engineering. Dr. Bowen Hui University of Bri>sh Columbia Okanagan

Splunking with Multiple Personalities

Essentials to creating your own Security Posture using Splunk Enterprise

Managing the Microsoft Windows* Transition in Your Enterprise. October 2013

Lustre Beyond HPC. Presented to the Lustre* User Group Beijing October 2013

Revit + FormIt Dynamo Studio = Awesome!

Increase Engagement in Educa0on with Video Streaming. How The University of Maine Changed Their Learning Experience with Wowza

Alan Williams Principal Engineer alanwill on Twitter & GitHub

Splunk & Git. The joys and pitfalls of managing your Splunk deployment with Git. Copyright 2018

Kaseya Advanced Workshop DAY TWO

Strengthening Cybersecurity Workforce Development December 2017

Architectural Requirements Phase. See Sommerville Chapters 11, 12, 13, 14, 18.2

DNSSEC Activities In North America: Comcast

Deltek Vision 7.6. Technical Overview and System Requirements: Advanced Deployment (150 or More Employees)

CONTAINERIZING JOBS ON THE ACCRE CLUSTER WITH SINGULARITY

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Schedules Can t Do That in Revit 2017

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

Today s Objec2ves. AWS/MR Review Final Projects Distributed File Systems. Nov 3, 2017 Sprenkle - CSCI325

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

IN: US:

Shells and Processes. Bryce Boe 2012/08/08 CS32, Summer 2012 B

Puppet Enterprise And Splunk PlaJorm: Improve Your ApplicaGon Delivery Velocity

Importing/Exporting Data in AdBase

Mastering Xcode for iphone OS Development Part 1. Todd Fernandez Sr. Manager, IDEs

Transcription:

Copyright 2013 Splunk Inc. Best Prac:ces + New Feature Overview for the Latest Version of Splunk Deployment Server Gen: Zaimi Professional Services #splunkconf

Legal No:ces During the course of this presenta:on, we may make forward- looking statements regarding future events or the expected performance of the company. We cau:on you that such statements reflect our current expecta:ons and es:mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in this presenta:on are being made as of the :me and date of its live presenta:on. If reviewed awer its live presenta:on, this presenta:on may not contain current or accurate informa:on. We do not assume any obliga:on to update any forward- looking statements we may make. In addi:on, any informa:on about our roadmap outlines our general product direc:on and is subject to change at any :me without no:ce. It is for informa:onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga:on either to develop the features or func:onality described or to include any such feature or func:onality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respeccve owners. 2013 Splunk Inc. All rights reserved. 2

About Me Gen: Zaimi! Splunk Professional Services, West! April 2010! 237! Splunk Support - > Splunk PS 3

Agenda! About Splunk s Deployment Server! The Big Picture! Configura:on Overview! Advanced Configura:ons! New in Splunk Enterprise 6! Tips & Tricks! Ques:ons and Comments 4

About Splunk s Deployment Server! What it is not: Deployment server is not IT automa:on sowware Deployment server is not a comprehensive provisioning tool Deployment server cannot be used for installa:on or upgrade of Splunk components Puppet/Chef! What it is: Deployment server is Splunk's configura:on management tool Deployment server can be used for pushing out configura:ons and content updates to distributed Splunk instances Deployment server cannot be used for modifying just a single file, instead the whole app gets updated/installed 5

The Big Picture! In a Splunk deployment, you use a deployment server to push out content and configura:ons to deployment clients, grouped into server classes 6

The Big Picture! A deployment server is a Splunk instance that acts as a centralized configura:on manager, collec:vely managing any number of Splunk instances, called "deployment clients! Any Splunk instance even one indexing data locally can act as a deployment server 7

The Big Picture! A deployment client is a Splunk instance remotely configured by a deployment server; a Splunk instance can be both a deployment server and client at the same :me (:ered DS) but is discouraged! Each Splunk deployment client can belong to one or more server classes 8

The Big Picture! A server class is a set of deployment clients, grouped by some set of configura:on characteris:cs, so that they can be managed as a unit! Clients can be grouped by: Applica:on OS Type of data Or any other feature of your Splunk deployment 9

The Big Picture 10

Configura:on Overview! Designate or setup a Splunk instance as the deployment server! Group the deployment clients into server classes! Create a serverclass.conf file on the deployment server! Create a deploymentclient.conf for your deployment clients! Create your deployment apps 11

Configura:on Overview Designate or Setup a Splunk Instance as The Deployment Server! What should serve as a deployment server? < 50 clients - any Splunk instance can be used. > 50 clients - a designated Splunk instance should be used. ê Any mixture of du:es possible? License master, cluster master and deployment server = OK? 12

Configura:on Overview Group The Deployment Clients Into Server Classes! A server class defines a deployment configura:on shared by a group of deployment clients; it defines both the criteria for being a member of the class and the set of content to deploy to members of the class! You can define different server classes to reflect the different requirements, OSes, machine types, or func:ons of your deployment clients 13

Configura:on Overview Group The Deployment Clients Into Server Classes! Example: Windows and Linux universal forwarders All forwarders get outputs.conf Different inputs.conf files for Windows vs. Linux Serverclass "all forwarders distributes outputs.conf file to all forwarders Separate Windows and Linux serverclasses distribute the different inputs.conf files 14

Configura:on Overview Group The Deployment Clients Into Server Classes! Example (cont) serverclass.conf: [global]! restartsplunkd = false!! # ALL FORWARDERS! [serverclass:all_forwarders]! whitelist.0 = *! blacklist.0 = searchhead.acme.com! blacklist.1 = indexer.acme.com! restartsplunkd = true!! [serverclass:all_forwarders:app:acme_all_outputs]! #windows forwarders! [serverclass:all_win_forwarders]! # Match only Windows machines! machinetypesfilter=windows-intel!! #nix forwarders! [serverclass:all_nix_forwarders]! # Match only Unix machines! machinetypesfilter=linux-i686, linux-x86_64!! [serverclass:all_win_forwarders:app:acme_all_win_inputs]! [serverclass:all_nix_forwarders:app:acme_all_nix_inputs]!!! 15

Configura:on Overview Create The Directories for Your Deployment Apps! Default loca:on is: $SPLUNK_HOME/etc/deployment- apps! Each app must have its own subdirectory as specified in serverclass.conf! Naming conven:on should be as granular as possible 16

Configura:on Overview Create The Directories for Your Deployment Apps! Configure the repositorylocabon auribute in serverclass.conf! Configure the base config directories acme_all_indexers_base ê indexes.conf ê inputs.conf ê web.conf ê server.conf acme_all_searchheads_base ê similar to above, define indexes, web, server configura:on files ê note: no inputs.conf here 17

Configura:on Overview Create The Directories for Your Deployment Apps! Dis:nguish between organiza:on configura:ons & apps vs. Splunk out of the box configura:on & apps acme_all_forwarders_outputs ê outputs.conf TA- nix ê out of the box configura:on files downloadable from splunk.com 18

Configura:on Overview Create The Directories for Your Deployment Apps! Dis:nguish between internal departments acme_it_db_inputs ê inputs.conf acme_finance_db_inputs ê inputs.conf 19

Configura:on Overview Create a deploymentclient.conf for Your Deployment Clients! Sample deploymentclient.conf [deployment-client] [target-broker:deploymentserver] # Change the targeturi & port if needed targeturi= deploymentserver.acme.com:8089! 20

Configura:on Overview Create a deploymentclient.conf for Your Deployment Clients! Create an acme_all_deploymentclients app which Contains deploymentclient.conf configura:on file Is installed on all deployment clients Is located in deployment- apps/ on the deployment server! Sample serverclass.conf [serverclass:all_forwarders:app:acme_all_deploymentclients]! Warning: Only change this app in the deployment server if you intend to change deployment server loca:ons 21

Advanced Configura:ons! Deployment server with clustering and search head pooling! Change phonehomeintervalinsecs in deploymentclients.conf! Configure mul:ple deployment server instances (tenants.conf)?! Tiered deployment server configura:on?! Mul:ple deployment servers (rsync way)? 22

Advanced Configura:ons Deployment Server with Clustering and Search Head Pooling! In a clustered configura:ons you cannot use deployment server to push apps to the cluster peers (i.e. indexers)! In a search head pooling configura:on, you can use deployment server to push apps to the pool 23

Advanced Configura:ons Change phonehomeintervalinsecs in deploymentclients.conf! Default interval is 60 seconds! Changing to 600 can ensure less deployment :me in large environments with many thousands numbers of clients Sample stanza:![deployment-client]!!phonehomeintervalinsecs = 600!!![target-broker:deploymentServer]!!targetUri= deploymentserver.acme.com:8089! 24

Advanced Configura:ons Configure Mul:ple Deployment Server Instances (tenants.conf)! Deprecated in Splunk Enterprise 6! Has not been tested! Is not supported! Will almost certainly not work 25

Advanced Configura:ons Tiered Deployment Server Configura:on! Has not been tested in Splunk Enterprise 6! Is undocumented! Is not supported! Will almost certainly be buggy 26

Advanced Configura:ons Mul:ple Deployment Servers (rsync Way)! Has not been tested in Splunk Enterprise 6! Is undocumented! Is not supported! Will probably work 27

Advanced Configura:ons Mul:ple Deployment Servers (rsync Way)! It is best prac:ce to use mul:ple deployment servers, each located on its own Splunk server where All changes are made within the master deployment server All slave deployment servers receive their apps via r- sync from the master 28

Advanced Configura:ons Mul:ple Deployment Servers (rsync Way) 29

New in Splunk Enterprise 6! More clients, less resources According to internal performance tes:ng, Splunk deployment server should be able to: ê Handle more clients ~ 7000 tested (Linux only) @ 50MB ê Fast distribu:on :me (T (minutes) = 0.0075 * C + 1.85) ê Less resource u:liza:on Open files (FD) Load average, memory, cpu! Forwarder management UI!!!! 30

Tips & Tricks! Just, how does the conversa:on between the server and the client go? DS DC m0: <- - - - - - - - - "here are my apps' MD5s"- - - - - - - - - - - - - - m1: - - - - - - - - - "your apps' MD5s should be" - - - - - - - - - - > If actual MD5s == expected MD5s, stop. Else m2: <- - - - - - - - - - - - - - - - "give me app A" - - - - - - - - - - - - - - - - - - - - m3: - - - - - - - - - - - - - - - - - - "here is app A - - - - - - - - - - - - - - - - - - - - > m4: <- - "report: app=a accon=install result=ok" - - - 31

Tips & Tricks! Configure a deployment server as early as possible in your installa:on process It s beneficial to do so right awer sowware install! To refresh serverclasses you don t need a Splunk restart./splunk reload deploy-server!! List all your deployment clients and find out the last :me they were successfully synced./splunk list deploy-clients! 32

Tips & Tricks! On a client, list the deployment server, if any./splunk list deploy-poll! See what serverclasses are loaded ls $SPLUNK_HOME/var/run/tmp! See what apps are loaded within a serverclass; look for the.bundle file ls $SplunkHome/var/run/tmp/all_forwarders! Troubleshoo:ng: Increase logging when needed # deployment server & client category.dc:handshakereplyhandler=info! 33

Ques:ons & Comments 34

Next Steps 1 2 3 Download the.conf2013 Mobile App If not iphone, ipad or Android, use the Web App Take the survey & WIN A PASS FOR.CONF2014 Or one of these bags! Go to Best PracHces and Lessons Learned from Splunk s Professional Services Team Room: Brera 2&3, Level 3 Today, 1:45-2:45pm 35

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback