In the "Architecting and Deploying Splunk" training course, there is the following comment on having a deployment server and a search head on the same physical box:
"[Deployment server] can be shared with another component (e.g. search head) if there is low load and capacity on the other box
– Make sure to run it as a separate Splunk instance"
But why do we have to run the deployment server as a separate Splunk instance?
Here is my line of logic:
Everything a deployment server cares about is under this directory:
$HOME/splunk/etc/deployment-apps
Everything the search head cares about is under this directory:
$HOME/splunk/etc/apps/search
( and possibly some additional apps under $HOME/splunk/etc/apps )
From a configuration point of view, these two areas don't interfere with each other. So, are there other reasons why they cannot coexist in one Splunk instance? What would happen if they do?
Thanks!
No idea. We run search and deployment on the same server as part of the same service, have done for 5 years, and have never had difficulties. My guess would be future-proofing in case there was a later need to segregate the two for capacity reasons.
You can run both on the same server. It really depends on the number of users and the number of servers you are trying to manage.
BTW. The apps the search server cares about is in etc/apps. If you were to deploy to the searchhead it would basically copy from etc/deployment-apps to etc/apps.
No idea. We run search and deployment on the same server as part of the same service, have done for 5 years, and have never had difficulties. My guess would be future-proofing in case there was a later need to segregate the two for capacity reasons.