SPLK-1003 Splunk Enterprise Certified Admin – Installation and Configuration of Splunk Components Part 5

26. Configure Deployment Server From Splunk Web

We know very well by now that the deployment server is a centralized management console where you can deploy any configuration related to our Splunk infrastructure or the component in our Splunk infrastructure. Now we will be seeing how to configure deployment server. To configure deployment server. The best and possibly the only way is to create a server class con file which is responsible for your deployment server feature. You’ll be able to see this is the only way to enable your deployment server and it is always placed under System Local.

This is the only file that should be placed under System Local on your deployment server and also in any other component of Splunk only. This is the file that will be under System Local wherever the instance is acting as deployment server. When we are building our own enterprise level Splunk architecture with high availability and multi site clustering just for learning purpose on this Amazon AWS, we’ll be seeing how effective a deployment server can be and to accomplish a task that needs to be performed by Splunk Admin or Splunk Architect within a matter of minutes. Let us proceed now and configure one Splunk instance as a deployment server by creating a server class con. Before that, we’ll log into our deployment server for this tutorial. We’ll be using Deployment server and License manager as one server.

This is our deployment server. IP and by the way, do not try to log in to these instances because by the time you guys will be watching these videos, hopefully they will be terminated. The instances will be terminated and I’ll be building a complete new lab setup so that once you enroll for the complete package of this tutorial, you’ll be getting access to a lab environment where you can run your searches, create dashboard, create alerts and see how the environment is performing. It will be completely for your search experience in Splunk and of course it will be a free of cost if you purchase the entire package of this course. Now, this is our deployment server.

We have logged in settings. If you go to Forwarder Management which is another big topic in Splunk, we’ll be discussing it at later stage. But this tutorial will be strictly seeing how to configure deployment server forwarder management. It will be a separate concept in following up tutorials. Click on Forwarder Management as of now, this is the default screen with the latest version of the Splunk as of six six two. Yeah, if you see Splunk version is six six two. This is the latest version as of today and the UI we cannot configure deployment server using Forwarder management. Management menu doesn’t have any configuration that can enable deployment server from the web console.

27. Configure Deployment Server From Splunk Configuration Edit

Let us proceed and configure one of our Splunk instance which is hosted on Amazon AWS as a deployment server by creating a server class. So let me log in to our deployment server. A dedicated Splunk instance which is for now we have made it as deployment server. Let us see how we can configure it and just log in as application user. Yes, I am. Now splunk user. That is our application user. Let me see whether Splunk is running or not. Yes, Splunk is running. Let us confirm whether our Splunk instance is configured as any other instance or deployment server is previously enabled. So I’ll log into Splunk web to configure deployment server.

As of now, we have only one method that is editing configuration file. We will be adding a file called Server class conf to check whether your acting Splunk instance is deployment server or not. All you need to do is go to Settings forward a management and as you can see, it says Deployment server in the URL. As of now, we have not set up the deployment server. Let’s go ahead and make this instance as a deployment server. Log back into CLI. As I said earlier, we have only one method for enabling deployment server. That is by creating server class conf. That is we’ll be editing configuration file directly on the back end. We’ll go to Splunk home etc system local. So as of now, we don’t have the file that is Server Class Conf. This is the configuration files which is responsible for making a Splunk instance act as a deployment server. Basically create one file temporary and you add these four lines. This is a global stance. Let me go through quickly.

But we’ll be dealing separately how to create separate groups using deployment server, deploy specific apps and what is the syntax and everything in a separate module. As of now, just remember these four lines. So this is a global configuration that we are defining in deployment server and we are whitelisting all the clients and we are creating a group called All Apps and we’ll be deploying everything to the instances which belong to our global instance. This is what you can call it as kind of default configuration. But in production it will never be the same. This is just for enabling this instance as our deployment server. Let me save this file and let me restart. Since we have edited our configuration file, I’ll restart my deployment server.

Once it is up, you’ll be able to see the complete deployment server UI changes. You’ll be able to see additional menus and this UI will look completely different. Now our Splunk deployment server is up, let us log in back. See. As you can see, we have a complete new UI which was previously like never visible here. As you can see, we have a server class that we created. That is the group name. Server classes are nothing but a group and at present we don’t have any applications deployed. We’ll see how we can deploy applications to the groups and how to add clients in the following sessions. And also in the future course, we will see how the deployment server is used to create server groups, create apps on clients and deploy configuration of the clients from the deployment server. Now, let us proceed further to see how to add a client to report to our newly added deployment server. To add a client to deployment server. We have just two different ways of doing it for all components of Splunk including universal forwarder that is by Splunk, CLI or editing configuration file. Let us see them one by one.

28. Adding Clients to Deployment Server

Let us go back and let me see which of my Splunk instances are up. Our search ed is up. Let us make our search ad report to our deployment server. Searched is nothing but another component of Splunk whose configuration can also be managed by our deployment server. I’ve logged in as my application user. Let me check whether my Splunk instance is up on this searcher. Yes, it is up and running. So which method we will be using to add our searcher? Let us use our CLL. Opt splunk bin splunk. This is our utility. This is the utility to add, modify or remove any configuration of Splunk we’ll be setting deploy the argument is called Pole, the IP address of our deployment server. Let me quickly grab that. This is our IP address and the port number will be management port that is 80 89 so now Splunk utility is asking for our Splunk credentials. Okay, it says configuration is updated. Let us restart our client which is going to report our newly added deployment server.

This is one method of adding clients to our deployment server. So that this will report to our deployment server and fetch the configuration. And this configuration will be deployed on this instance of the Splunk. Either it can be searched every forwarder or indexer or even universal forwarder. Let us see. Our client started talking to our deployment server. Once the client initiates the connection, you will be able to notice here this zero client will become as one. Let me validate the connection quickly. Yes, it is able to connect to our deployment server. In the meantime, we’ll see how we can add deployment server client.

By the time the searcher reports to this deployment server, we will see how we can add our universal forwarder that has been installed on our Windows machine to report to our newly created deployment server. In this, we can also add using CLI. We know by now that the Splunk home is ce program files Splunk or Splunk unsour cell forwarder and bin the utilities Splunk Exe and we can similarly set deploy font pole, the IP address and the port details. If we hit enter, it will start reporting to our deployment server. This will be your set. Yeah, this will be your complete command.

But we’ll be editing using configuration file so that we will cover additional concept or additional method of doing that. C program files Splunk, yourself over etc system local. Here we’ll be creating a new file called Deployment Client. Deployment client file is the one which holds the configuration of your deployment server and it makes sure the communication is proper. We have now changed our configuration. Let us restart our uniourself forward. Just keep in mind we have two methods. One is using CLI that is Splunk exe set deploy pool IP and port number. The second one is editing deployment. Client Conf So let us server come up so that we can go and refresh our deployment client sorry, deployment server and see if the clients are reported.

Yes, we have one client reported. That is our search ed which we previously added. As you can see, this is a search ed. Usually it takes a couple of minutes before it pops up because deployment client communicates in a term that is called as phoning home. So each client will phone home like every 30 seconds to 60 seconds. By default, this value is completely customizable. We can change it from 1 minute to five minute or ten minute depending on our flexibility and also architecture design. Let us see how is our connectivity between our local universal forwarder. Okay, I don’t have the telnet installed, no issues. We’ll notice that within a minute or so it should be reporting our deployment. So this is basically it. We have created deployment server.

We have created server class on a Splunk enterprise instance to act as a deployment server. We saw that once you have added serverclass. com, the entire UI under forwarder management changes and gives us more information. Once we have this, we will have the clients. To enable the clients, you have two methods. One is using Splunk CLI, that is Splunk exe set deploy poll IP followed by the management port number. Similarly, while configuring using editing configuration mode, we will add deployment client under system local for making the instance report to our deployment server. See now this is my local PC which has successfully reported to our deployment server. And now we have successfully set up our deployment server and also added multiple clients so that our deployment can talk to them and deploy the configuration.

29. Deployment Client Config CLI and on Configuration Edit on Universal Forwarder

We have seen from our previous tutorials how to install universal forwarder. Now let us see how we can make universal forwarder to send logs to our Splunk index. Since Universal forwarder is a lightweight package, we don’t have any web console for managing the configuration. The configuration on the universal forwarder will be completely by editing configuration file or using Splunk CLI to configure universal forwarder to send the logs to indexer. Let us check out both the ways of doing it. First method will be like adding your indexer IP. That is this is my Splunk universal forwarder installed on my local laptop which is supposed to send logs to our indexer in the cloud. Let us quickly get the indexer it is running. So this is the indexer and also from our previous tutorials you should be aware that by now we have enabled our Splunk instance to receive logs, that is to act as indexer and also we have created indexes to hold the incoming data. The first method is by splunk CLI.

We’ll invoke the utility that is Splunk exe add forward iPhone server followed by IP and the receiving port of our index. In our previous tutorials, while we were discussing how to configure a Splunk instance as an indexer, we have set up a receiver on our indexer. We can quickly validate that by logging into our indexer. So we have logged in. Let me change into my application user that is Splunk. So I have logged in as application user. I’ll verify if Splunk is up. Yes, and I’ll verify if the portal nine seven is being utilized by our Splunk.

Yes. As you can see, our Splunk D process is listening on triple nine seven port. Now this is one way of sending the logs that are collected locally from our universal forwarder to the index. Parameters should be in the form okay, this is colon triple nine seven. It is asking for my Splunk universal over the login once successful login it has added in this. Let us also see what happens when I add this command that is splunk exe in Linux it will be Splunk or opt splunk bin forward by Splunk add forward server the IP of your indexer and the listening port. Once this has been added, you can make forwarder to send the logs via this or you can directly edit the configuration that is C program files splunk home that is our Splunk universal order etc system local and this will be our file that is outputs conf. Once you see outputs conf you’ll be able to notice that this is the configuration that we added. It has created a local group like we have seen during AB forwarder. It was the outputs conf which created a local group and it will autobalance.

And if we have multiple IP addresses or indexes, we can just specify it by mentioning comma and followed by the other indexes and the receiving port. So as of now, we’ll leave it. Since we have only one indexer, we will see how to add multiple indexes, how to enable clustering, all these complex concepts including the deployment server, how to deploy configuration when we are building our own enterprise level multi site indexer clustering on Amazon AWS. For simplicity, just remember this is our indexer configuration. That is the IP and the port number that are mentioned in outputs confile. Once it has been mentioned, make sure, make sure you have restarted the splunk service. Splunk exe restart we have restarted. So there are as earlier mentioned, there are two methods. One is your CLI. Second one is directly editing our outputs confile.

 Once our indexer starts receiving, we should be able to search it from our searcher by the time our Splunk universal forwarder restarts. Let me log into our searcher. So this is a searcher. We have restarted our splunk instance. That is our universal forwarder. Okay, this is with our deployment server. We can ignore this. As of now, let us see if we are receiving the loss that are sent from our universal forward. I’ll just search for index is equal to star and see in the last 24 hours and we’ll see what data we have received. We have like 310 events in probably a couple of minutes. As you can see, this is from my local laptop PC which is sending my logs which are collected during load network interface and available memory. These are scripts that are running on the universal forwarder and these are collecting the information and sending the logs to our searcher. This confirms that the configuration of universal forwarder to our index and.

30. Splunk License Manager Configuration

The final discussion of this module is to upload our license to the installed Splunk component which acts as our license manager. In our scenario, we will be making our deployment server, that is the server. As our license manager. You will be able to see that the process this is very easy and the license server can be either searched, indexer, deployment server or even your cluster master. To begin with, make sure you have your license from the email or download it from your internet portal or Splunk. As of now, I don’t have the license and I’ll be downloading it from my portal that is Splunk. com. In our previous tutorials we have seen how to get this free license of ten GB per day, free of cost.

And this will be delivered to you in two ways, that is via email and you can anytime log into your portal and download this license. I’m just logging in, so once I have logged in, go to instances. It takes you to a separate portal where you’ll be able to see all the licenses you hold and which are all the valid ones and which are all the invalid ones. Let me go to customer portal. So this is the typical customer portal. You can directly log in using this link or you can log in from the homepage and visit your profile. You will be bought to this page where you can click on my licenses and this is the valid as of now I have and I’ll be downloading it. This is my license. Either you can copy paste it or download this license as XML. For this tutorial I’ll show you both have downloaded my XML and I’ll copy this in my clipboard. So once I have copied, I’ll log into my deployment server.

Just 52 25 yes, this is our deployment server. Yes, this is our deployment server. Here you have two methods of applying your license settings. The first method is via Splunk web. You have other methods where you can upload the license to your server and copy to the licenses directory and then you can add your license. But this is the most simpler one, that is go to settings licensing. As you can see, it has multiple options. We’ll click on add license. Here we have copy and paste license that I can paste my copy license from the portal, or I can upload this license XML using the browse button here. So I’ll copy paste. Click install. It says restart required. Go ahead, restart it. Once you have restarted, you will have complete spank instance ten gig license which can be used for learning purposes and also for creating apps troubleshooting issues on the community.

If somebody uploads a sample file, you can have your own instance where you can get those sample logs and upload it to the instance that you have and you can assist the people on the community. This ten GB license is very valuable at the stage of beginning. You will have complete features of Splunk in this ten GB of free licensing. So now we have added our license. I’ve logged in back again, post restart. Let me check my licensing. Now, as you can see, it says I have a Splunk developer personal license, which is valid up to September 20 of this year. As you can see, today we have not used much. We have ten GB of our license quota.

31. Splunk Licensing Pool and Client Configuration

Now we have seen how to download the license, how to upload it to our License Manager. We have something called License Pools and assigning license to a specific pool. As you can see, there is a button just below your license bar and you can add a pool that is like my main site Indexes. This license quota is for my main site indexes only. This is nothing but the logical separation. That means I have ten gig license. I will give eight gig only to my main site and two gigs to other components. You can differentiate or you can limit based on specific number or specific criteria to certain groups. This license maximum is a specific amount that will be like five GB. I’ll give it five GB for my main site Indexer and the other five GB or for other indexes if you have any specific indexer.

As of now, we have only one pitch. Indexes are eligible. You can select all your main site indexes which are available, and you can make this as a one specific group. As of now, I’ll click cancel. But this is how the concept works. You can create a new group where you can assign specific amount of license for specific group of indexes. Now, we have added this license.

Let’s make our indexes report to this license so that this is the Master I need to make my other Splunk instance that is like Indexer. Search it to report through this Master. For the licensing, I’m logging into my indexer. As you can see, this is our Splunk indexer. I grabbed the IP, logged into it now. As of now, this indexer is having 500 MB settings licensing. As you can see, this doesn’t have any enterprise license. It has only free license that comes as part of your installation package. We have seen to make it as Licensed Manager, we added license here. But now, since we already have a License Manager, we’ll make this indexer as a slave to report to that License Manager. What is our license manager? IP?

This is the IP. So IP port is 80 89. We have added this indexer to report to our new License Manager. Let’s restart it. Once restarted, we’ll be able to see the consumption of our indexer right below this, so that we will have a good view of how much this indexer is consuming. Similarly, we can make our searches other indexers including AV forwarders to report to the Licensed Manager so that the license calculation and the tracking of these licenses will happen at License Manager and it gives you the overall picture. Let me restart this once more from the CLI so that we will have when the process of restarting actually completes, instead of the web component where it just keeps on reloading. As you can see, our index has already started reporting. It has consumed up to 46 MB.

But unfortunately we are unable to load the GUI. I think once this is up, we should be able to load it. 14 239 is our indexer. Yes, as you can see here. 14 239. So let it restart. Now our Splunk index is up. Let us reload this. Yes. Now we are able to log in once we have logged in. You can see now the licensing page of the indexer will not consist of any information whatsoever, except any URL specifying to our License Manager. So if you go to Settings and Licensing, this is how it looks. It says this is your index name, but the License Master Uri is this one. If you want to know more about licensing, go to this server or your License manager. If you come here. As you can see, it has consumed up to 46 MB out of our NGB license. That’s a refresher for the link. It’s almost 46 MB. Since we have our local universal forwarder which is installed on my laptop and sending the data to the cloud, we have around 46 MB of data as of now.