The agent management is a tool for managing data collection agents. It enables fleet monitoring, including health and status tracking, remote configuration and application deployment, agent version upgrades, and troubleshooting. It retains the core functionality of the deployment server, allowing distribution of configurations, apps, and content updates to groups of Splunk Enterprise instances including forwarders, non-clustered indexers, and search heads. Agent management supports multiple agent types, such as OTel Collectors. The list of supported types of agents will be expanded in the future.

The agent management is just a Splunk Enterprise instance that has been configured to manage the update process across sets of other Splunk Enterprise instances. Depending on the number of instances it's deploying updates to, the agent management instance might need to be dedicated exclusively to managing updates. For more information, read Plan a deployment.

The agent management handles configuration and content updates to existing Splunk Enterprise installations. You cannot use it for initial or upgrade installations of Splunk Enterprise or the universal forwarder. To learn how to install and deploy Splunk Enterprise, see Step-by-step installation procedures for full Splunk Enterprise and Install the universal forwarder software for the Splunk Enterprise universal forwarder. To learn how to upgrade your deployment to a new version of Splunk Enterprise, see Upgrade your distributed Splunk Enterprise deployment in the Installation Manual.

The interface of agent management provides an easy way to configure the agent management and monitor the status of deployment updates. Although its primary purpose is to manage large groups of forwarders, you can use the interface to configure the agent management for any update purposes, including managing and deploying updates to non-clustered indexers and search heads. For more information, see Agent management UI overview.

Agent management is not required for managing forwarders and other Splunk Enterprise instances. If you prefer, you can use a third-party tool, such as Chef, Puppet, Salt, or one of the Windows configuration tools.

The agent management makes it possible to group Splunk Enterprise components by common characteristics and then distribute content based on those groups.

For example, if you've got Splunk Enterprise instances serving a variety of different needs within your organization, it's likely that their configurations vary depending on who uses them and for what purpose. You might have some instances serving the help desk team, configured with a specific app to accelerate troubleshooting of Windows desktop issues. You might have another group of instances in use by your operations staff, set up with a few different apps designed to track network issues, security incidents, and email traffic management. A third group of instances might serve the Web hosting group within the operations team.

Rather than trying to manage and maintain these divergent Splunk Enterprise instances one at a time, you can group them based on their use, identify the configurations and apps needed by each group, and then use the agent management to update their apps and configurations when needed.

In addition to grouping Splunk Enterprise instances by use, there are other useful types of groupings you can specify. For example, you might group instances by OS or hardware type, by version, or by geographical location or timezone.

A key use case is to manage configurations for groups of forwarders. For example, if you have forwarders residing on a variety of machine types, you can use the agent management to deploy different content to each machine type. The Windows forwarders can get one set of configuration updates; the Linux forwarders another, and so on.

You cannot use agent management to update indexer cluster peer nodes or search head cluster members.