If I told you that a fully operational Splunk Enterprise deployment in AWS could be yours in a matter of minutes, would you be interested? Sit down, relax, and I’ll tell you all you need to know to have a Splunk Enterprise deployment ready to index; fully configured with indexer replication and search head clustering in less than an hour.
Late last year, I wrote a deployment guide for Splunk Enterprise on AWS that explains your options when deploying Splunk Enterprise in AWS. Today, it gets better: I’m happy to report that document has been expanded upon, and Splunk has released an official Splunk Enterprise AWS Quick Start.
If you’re not familiar with AWS Quick Start, the underlying principle is to help the end user rapidly deploy reference implementations of software solutions on AWS. In addition to the updated deployment doc, the Splunk Enterprise Quick Start includes a CloudFormation template. (CloudFormation is an AWS service that provides a predictable, automated way to create and manage a collection of related AWS resources.) The template will ask a few of questions about how you would like to deploy Splunk; which instance type, how many indexers, the replication factor for your indexer cluster, etc. There are options to provision in a new VPC or an existing VPC, and appropriate subnet configurations for both. The following screenshot shows most of the questions asked when deploying to a new VPC.
Once you’ve answered each of the questions, CloudFormation takes over and provisions your requested Splunk Enterprise deployment. (Depending on the options you’ve chosen, the launch time varies between about 10-30 minutes.) Cloudformation creates everything you need from your security groups and VPC ACLs, to configuring the Splunk indexing cluster and search head(s), with optional support for a search head cluster. The template even configures distributed search as well as creating a license master and cluster master. It has everything you’ll need to get started with your Splunk Enterprise deployment.
Taking a closer look, if you were to launch the template with the new VPC option, and select an indexer cluster with 3 nodes and a search head cluster, the architecture would look something like this:
Each and every Splunk deployment is a special snowflake as unique as the fingerprints of the team deploying it. The aim of this Quick Start is to give you a fantastic place to start. These templates are designed to be expanded upon and tailored to your specific needs.
In the end, I want you to spend as much time as possible enjoying the benefits of what Splunk can do. I hope this helps you spend less time deploying and more time enjoying.
If you have questions or comments, I’d love to hear them in the comment section below. If you happen to find a bug, you can report them via GitHub.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.