Splunk Architecture

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Splunk Architecture

Splunk is a high performance, scalable software server written in C/C++ and Python. It indexes and searches logs and other IT data in real time. Splunk works with data generated by any application, server or device. After downloading, installing, and starting Splunk, you'll find two Splunk Server processes running on your host, splunkd and splunkweb.

splunkd is a distributed C/C++ server that accesses, processes and indexes streaming IT data and also handles search requests. splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.
- Pipelines are single threads inside the splunkd process, each configured with a single snippet of XML.
- Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues. splunkd supports a command line interface for searching and viewing results.
splunkweb is a Python-based application server providing the Splunk Web user interface. It allows users to search and navigate IT data stored by Splunk servers and to manage your Splunk deployment through the browser interface.

splunkweb and splunkd can both communicate with your web browser via REST.

Splunk's data store manages the original raw data in compressed format as well as the indexes into the data. Data can be deleted or archived based on retention period or maximum data store size.
Splunk Servers can communicate with one another using a TCP-based protocol to forward data from one server to another and to distribute searches across multiple servers.
Configuration bundles are directories of files that contain configuration settings including, user accounts, saved searches, data inputs and processing properties to easily create specific Splunk environments.
Modules are files that add new functionality to Splunk by adding to or modifying existing processors and pipelines. They can include C++ code libraries.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.1/Developer/SplunkArchitecture"

« Overview Splunk's REST API »

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Developing Dashboards, Views, and Apps for Splunk Web

Splunk Architecture

Splunk Architecture

Comments