Plan a deployment

To set up agent management, you must configure both agent management and the agents. Most configuration occurs on the agent management side. You need to perform the following tasks:

  • Configure the agents to connect to agent management.
  • Create directories on agent management to hold the deployment apps and populate them with content.
  • Create mappings between agents and app directories (the server classes).

The order in which you perform these tasks is, to some degree, up to you, although a suggested procedure is described later in this topic, in The basic steps.

After you set up the agents, the app directories, and the mappings, you can populate the app directories with content. At any time, you can tell agent management to distribute new or updated content from the app directories to the agents they're mapped to.

Note: Do not use agent management to distribute updates to peer nodes (indexers) in an indexer cluster. Similarly, do not use agent management to distribute apps or configuration files to search head cluster members. For more information, see Agent management and clusters.

The system requirements of agent management

The machine requirements of agent management

Because of high CPU and memory usage during app downloads, run the agent management instance on a dedicated machine.

Operating system compatibility

Currently the capability of OTel Collectors fleet overview, which is part of the Open Telemetry agent management functionality, is supported only by Unix agent management. In the future, all Open Telemetry agent management features are planned to be supported also on the Windows platform.

Use Unix agent management to update Unix agents. Apps that employ scripted inputs, alerts, search commands, and so on, can run into permissions problems when you deploy them from Windows to Unix. Specifically, scripts and other programs will not be set to be executable upon delivery to the Unix agents.

Agent version compatibility

Agent management is compatible with agents that run a supported version of Splunk software.

For Splunk Enterprise version 10.0.0 and higher, the following table lists specific version support.

Agent management version Compatible agent versions
10.x 8.1.x, 8.2.x, 9.x, 10.x

Agent management and other roles

For most deployments, agent management must run on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head. The exception is when agent management has only a small number of agents, that is 50 or less. Under those limited circumstances, it is possible for an indexer or search head to double as agent management.

Alternatively, you can host any of the following management components on agent management, but only if agent management has 50 or less agents:

CAUTION:

Don't collocate agent management and an indexer cluster manager node under any circumstances.

A cluster manager node and an agent management both consume significant system resources while performing their tasks. The manager node needs reliable and continuous access to resources to perform the ongoing management of the cluster, and the agent management can easily overwhelm those resources while deploying updates to its agents.

For more information about agent management sizing, seeEstimate agent management performance.

For a general discussion of management component collocation, see Components that help to manage your deployment in the Distributed Deployment Manual.

What to configure

You need to configure both agent management and the agents:

  • On each agent you specify its agent management by invoking a CLI command, by directly editing a configuration file, or (on Windows universal forwarders only) during installation.
  • On agent management you create directories in which the deployment apps will live. You can then use agent management to define server classes that encapsulate the client/app mappings.

The basic steps

To set up the agent management, you need to perform several steps on both the agents and agent management. Although the order of the steps is optional to some degree, here's a recommended order:

  1. Determine your remote configuration needs. Questions to ask include:

    • What types of Splunk Enterprise components do I want to configure remotely? For example, forwarders, indexers.
    • Within each component type, what characteristics dictate the configuration needs? For example, machine type, geographic location, application.

  2. Group your agents by their configuration needs.

    You can group agents by application, machine type, or any other criteria that make sense for your deployment topology. An agent can be a member of multiple groups. For example:

    • Agent-A might be a member of the linux-x86_64 machine type, the north-american geographic location, and the security application groups

    • Agent-B might be a member of the windows-intel machine type, the asian geographic location, and the security application groups

    These groups form the basis for your server classes. A server class maps a group of agents to sets of content (in the form of deployment apps) that get deployed to them. An agent can belong to multiple server classes. For guidance on the ways that you can group agents into server classes, see About server classes.

  3. Choose one of your Splunk Enterprise instances to be agent management. The agent management capability is automatically enabled on Splunk Enterprise, so there is nothing you need to do in this step, beyond choosing the instance. This is the instance where you will place the downloadable content and define your server classes. Agent management distributes content updates to its set of agents.

    In most cases, agent management requires a dedicated Splunk Enterprise instance. For information about the system requirements, see The system requirements of agent management.

    Note:

    Agent management cannot be an agent of itself. If it is, the following error will appear in splunkd.log: "This DC shares a Splunk instance with its DS: unsupported configuration".

  4. On each agent, specify agent management chosen in step 3. For more details, see Configure agents. You can add more agents later.

  5. On the file system of agent management, create directories for the deployment apps that will hold the content you plan to distribute to agents. Put the app content into those directories, either now or later. For more details, see Create deployment apps. You can add more deployment apps later.
    Note: In most cases, the agent management interface can handle the server class configuration. For some unusual situations, you might need to directly edit the underlying configuration file. No matter whether you use the interface or directly edit the configuration file, the basic steps are the same.

Once you've completed this configuration process, you can start distributing content to the agents. For information on how to deploy new content to agents, see Deploy apps to agents .

SSL encryption

SSL encryption using default certificates is enabled by default. If you change the SSL configuration on the agent management, you must change it on its agents as well. The agent management and its agents must agree in the SSL settings for their splunkd management ports. They must all have SSL enabled, or they must all have SSL disabled.

To disable the SSL configuration on a Splunk Enterprise instance, set the enableSplunkdSSL attribute in server.conf to "false": 

[sslConfig]
enableSplunkdSSL = false

For detailed information on using SSL with agent management, see "Securing agent management and clients" in the Securing Splunk manual.