"This website is not affiliated with Splunk, Inc. and is not an authorized seller of Splunk products or services."
  • Home - Splunk Tutorial
  • Splunk training videos
  • Splunk interview questions
  • Contact US
  • About Us
  • Privacy Policy
  • Splunk Jobs

                                                                                               <  Back |Home| Next  >

Understanding Splunk Architecture

To understand how to implement splunk  and how  splunk works it's necessary to first understand splunk architecture and it's components. Splunk is mainly combination of four components which works together to provide full functionality.We can install all of the components  on single  server or each component on  different servers as per our performance needs.So lets first  gothrough basic introduction to splunk components:

Below are the components of splunk Architecture:

1) Search Head --> Splunk search head is basically GUI for splunk where we can search,analyse and report
Picture
2) Forwader --> Splunk forwarder is a splunk components which works like an agent for splunk .It collects da,routers etc. ta from different sources like windows server,linux server,routers,firewalls etc and forwards collected data to indexer for indexing
Picture
There are two types of splunk forwarder as below 
       a) universal forwarder(UF) -Splunk  agent installed on non-Splunk system to gather data locally, can’t parse or index                  data
       b) Heavy weight forwarder(HWF) - full instance of splunk with advance functionality.
           - Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they                 are not recommended for production systems

3) Indexer -->The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an  indexer are
-Indexing incoming data
-Searching the indexed data
Picture
Below are stages in which splunk indexer process logs and store them for searching later

Picture
4) Deployment Server -->The Splunk deployment server is a full Splunk instance used to host and deploy apps to different components within the Splunk infrastructure. It is most often used to deploy technology add-ons to forwarders and indexers for index-time knowledge

Picture
5) Licensing server -->Licensing server manages and monitors license usage.It can be installed on any of the above mentioned server.

  • We will see installation and configuration of each component in detail in next few chapters.Below are splunk architecture diagrams which shows splunk component connection and ports used by them for intercommunication.


Picture
  • Splunk compoenets intercommunication ports used: -
Picture

                                                                                                     <  Back |Home| Next  >

Comment Box is loading comments...
Powered by
✕