< Back |Home| Next >
Understanding Splunk Architecture
To understand how to implement splunk and how splunk works it's necessary to first understand splunk architecture and it's components. Splunk is mainly combination of four components which works together to provide full functionality.We can install all of the components on single server or each component on different servers as per our performance needs.So lets first gothrough basic introduction to splunk components:
Below are the components of splunk Architecture:
1) Search Head --> Splunk search head is basically GUI for splunk where we can search,analyse and report
Below are the components of splunk Architecture:
1) Search Head --> Splunk search head is basically GUI for splunk where we can search,analyse and report
2) Forwader --> Splunk forwarder is a splunk components which works like an agent for splunk .It collects da,routers etc. ta from different sources like windows server,linux server,routers,firewalls etc and forwards collected data to indexer for indexing
There are two types of splunk forwarder as below
a) universal forwarder(UF) -Splunk agent installed on non-Splunk system to gather data locally, can’t parse or index data
b) Heavy weight forwarder(HWF) - full instance of splunk with advance functionality.
- Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems
3) Indexer -->The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are
-Indexing incoming data
-Searching the indexed data
a) universal forwarder(UF) -Splunk agent installed on non-Splunk system to gather data locally, can’t parse or index data
b) Heavy weight forwarder(HWF) - full instance of splunk with advance functionality.
- Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems
3) Indexer -->The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are
-Indexing incoming data
-Searching the indexed data
Below are stages in which splunk indexer process logs and store them for searching later
4) Deployment Server -->The Splunk deployment server is a full Splunk instance used to host and deploy apps to different components within the Splunk infrastructure. It is most often used to deploy technology add-ons to forwarders and indexers for index-time knowledge
5) Licensing server -->Licensing server manages and monitors license usage.It can be installed on any of the above mentioned server.
- We will see installation and configuration of each component in detail in next few chapters.Below are splunk architecture diagrams which shows splunk component connection and ports used by them for intercommunication.
- Splunk compoenets intercommunication ports used: -
< Back |Home| Next >
Comment Box is loading comments...