Hi!
I have 4 Splunk servers (one per each geographical location), each with combined Indexer and Search Head roles (yes, I know that it's not good, but I'm limited with number of servers), and each server gets its own portion of events. Servers are united as search peers, so whatever search head you use, all data is searchable. However, all configurations are done manually on each server: index creation, listeners, apps and so on.
I can't use indexer clustering because it doubles (or even quadruples) required storage and consumes bandwidth of links between locations. And currently I cannot use Deployment server, because it requires a separate machine (I'm going to have about 2000 forwarders).
Are there any tricks on how to sync at least some configuration in this scenario? I was thinking about a shell script, which will do regular sync and server restart/reload, but I'm sure there are some other (better) ideas in this community.
... View more