{"id":20303771,"url":"https://github.com/jmaas/splunk-configs-clustering","last_synced_at":"2026-03-19T15:09:30.543Z","repository":{"id":80587290,"uuid":"250337885","full_name":"jmaas/splunk-configs-clustering","owner":"jmaas","description":"Splunk configurations for a clustered architecture","archived":false,"fork":false,"pushed_at":"2023-01-10T15:28:36.000Z","size":39,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-27T05:43:54.856Z","etag":null,"topics":["splunk","splunk-enterprise"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jmaas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-26T18:20:12.000Z","updated_at":"2025-01-25T07:40:58.000Z","dependencies_parsed_at":"2023-03-12T11:28:43.250Z","dependency_job_id":null,"html_url":"https://github.com/jmaas/splunk-configs-clustering","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jmaas/splunk-configs-clustering","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmaas%2Fsplunk-configs-clustering","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmaas%2Fsplunk-configs-clustering/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmaas%2Fsplunk-configs-clustering/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmaas%2Fsplunk-configs-clustering/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jmaas","download_url":"https://codeload.github.com/jmaas/splunk-configs-clustering/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmaas%2Fsplunk-configs-clustering/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29612510,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T10:52:55.328Z","status":"ssl_error","status_checked_at":"2026-02-19T10:52:26.323Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["splunk","splunk-enterprise"],"created_at":"2024-11-14T16:40:37.072Z","updated_at":"2026-02-19T12:02:25.425Z","avatar_url":"https://github.com/jmaas.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\nThis repository contains several basic configuration files required\nby recent Splunk versions. Version used for testing is Splunk 9.0.0.\nThe instructions and files included in this repository allow you to \nset-up a clustered environment relatively easy.\n\n# Reference Architecture\nThis repository is based on an architecture I have running in my home lab.\nThe references to the hostnames should be replaced with the equivalents in your environment.\n\n- 3x indexers cluster (`splunk-idxN`)\n- 1x single-node cluster search head (`splunk-shN`)\n- 1x universal forwarder (`splunk-ufN`)\n- 1x management server (`splunk-mgt`) with roles:\n\t- license master\n\t- cluster master\n\t- monitoring console\n\t- deployer\n\n# Manual Installation\nRepeat all steps for every Splunk instance type in your architecture except for the Universal Forwarder instance (`splunk-ufN`).\n\n## Splunk Enterprise\n- install Splunk Enterprise using the package (rpm, deb, tgz) that best fits your environment\n- switch to splunk user `sudo su - splunk` (when using tgz create user/group manually first)\n- accept license and setup the admin account `$SPLUNK_HOME/bin/splunk start --accept-license` \n- stop splunk `$SPLUNK_HOME/bin/splunk stop`\n\n## Operating System\n\n### Systemd based systems\n- copy `systemd/disable-thp.service` over to `/etc/systemd/system/`\n- copy `systemd/splunkd.service` over to `/etc/systemd/system/`\n- make sure you don't `enable boot-start`, just to be sure `rm -f /etc/init.d/splunk`\n- reload systemd unit files from disk `systemctl daemon-reload`\n- enable the disable-thp service `systemctl enable disable-thp.service`\n- enable the splunkd service `systemctl enable splunkd.service`\n- start disable-thp `systemctl start disable-thp.service`\n- start splunk `systemctl start splunkd.service`\n\n### Sysvinit based systems\n- copy `sysvinit/99-splunk.conf` over to `/etc/security/limits.d/`\n- disable THP `cat sysvinit/rc.local \u003e\u003e /etc/rc.local`\n- start splunk on boot `/opt/splunk/bin/splunk enable boot-start -user splunk`\n- start splunk `/etc/init.d/splunk start`\n\n## Verification\nVerify that THP is disabled, please note that the output provided here is from CentOS 8.2.\n```\n[splunk@splunk-mgt ~]$ cat /sys/kernel/mm/transparent_hugepage/defrag\nalways defer defer+madvise madvise [never]\n[splunk@splunk-mgt ~]$ cat /sys/kernel/mm/transparent_hugepage/enabled\nalways madvise [never]\n```\n\nVerify that Splunk is not complaining about ulimits:\n```\n[root@splunk-idx3 ~]# grep limit /opt/splunk/var/log/splunk/splunkd.log | tail -n 12\n09-15-2020 11:14:34.800 +0200 INFO  ulimit - Linux vm.overcommit setting, value=\"0\"\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: virtual address space size: unlimited\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: data segment size: unlimited\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: resident memory size: unlimited\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: stack size: 8388608 bytes [hard maximum: unlimited]\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: core file size: unlimited\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: data file size: unlimited\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: open files: 64000 files\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: user processes: 16000 processes\n09-15-2020 11:23:24.781 +0200 INFO  ulimit - Limit: cpu time: unlimited\n09-15-2020 11:23:24.782 +0200 INFO  ulimit - Linux transparent hugepage support, enabled=\"never\" defrag=\"never\"\n09-15-2020 11:23:24.782 +0200 INFO  ulimit - Linux vm.overcommit setting, value=\"0\"\n```\n\n# Configuration Apps\nApps are used as configuration bundles for the different instance roles in your environment.\n\n## Master apps\nThese apps are installed on the `cluster master` in `/opt/splunk/etc/manager-apps` and pushed to all indexers.\n\n- `cfg_base`: disables webserver in web.conf\n- `cfg_indexes`: custom indexes should be defined here, includes examples\n- `cfg_inputs`: enables the inputs on the indexers\n- `cfg_license`: configures the license client\n\n\n## Search-head Apps\nThe search head apps are installed on the `deployer` in `/opt/splunk/etc/shcluster/apps` and pushed to all search-heads.\n\n- `cfg_outputs`: disables indexing on the SH and forwards data to the indexers\n- `cfg_license`: configures the license client\n\n\n## Deployment apps\nDeployment apps are installed on the `deployment server` in `/opt/splunk/etc/deployment-apps` and pushed to all forwarders.\n \n- `cfg_outputs`: setup forwarding to the indexers\n\n# Notes\nInstructions for the most common tasks are provided in the `notes/` directory.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjmaas%2Fsplunk-configs-clustering","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjmaas%2Fsplunk-configs-clustering","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjmaas%2Fsplunk-configs-clustering/lists"}