Documentation > Splunk > Installation Manual > Components of a Splunk deployment

Installation Manual

 


Welcome to the Splunk Installation Manual
Step by step installation procedures
Start Splunk for the first time
Upgrade from an earlier version
Other setup tasks
What comes next?
Reference
Upgrade Instructions

Components of a Splunk deployment

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Components of a Splunk deployment

Splunk is simple to deploy by design. By using a single software component and easy to understand configurations, Splunk can coexist with existing infrastructure or be deployed as a universal platform for accessing IT data.

The simplest deployment is the one you get by default when you install Splunk: indexing and searching on the same server. Data comes in from the sources you've configured, and you log into Splunk Web or the CLI on this same server to search, monitor, alert, and report on your IT data.

Depending on your needs, you can also deploy components of Splunk on different servers to address your load and availability requirements. This section covers these potential components:

Indexer

Splunk indexers, or index servers, provide indexing capability for local and remote data and host the primary Splunk datastore, as well as Splunk Web. Refer to "How indexing works" in the Admin Manual for more information.

Search peer

A search peer is an indexer that services requests from search heads in a distributed search deployment. Search peers are also sometimes referred to as indexer nodes.

Search head

A search head is a Splunk instance configured to distribute searches to indexers, or search peers. Search heads can be either dedicated or not, depending on whether they also perform indexing. Dedicated search heads don't have any indexes of their own (other than the usual internal indexes). Instead, they consolidate results originating from remote search peers.

See distributed search to configure a search head to search across a pool of indexers.

Forwarder

Forwarders are Splunk instances that forward data to remote indexers for indexing and storage. In most cases, they do not index data themselves. To reduce operational footprint, Splunk Web is usually not used. Refer to the documentation on setting up a Splunk instance as a forwarder.

Deployment server

Both indexers and forwarders can also act as deployment servers. A deployment server distributes configuration information to running instances of Splunk via a push mechanism which is enabled through configuration. Refer to the documentation on setting up a Splunk instance as a deployment server.

Functions at a glance

Functions Indexer Search head Forwarder Deployment server
Indexing x
Web x
Direct search x
Forward to indexer x
Deploy configurations x x x
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/Installation/ComponentsofaSplunkdeployment"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


Comments

do you mean like the one in this topic?
http://www.splunk.com/base/Documentation/latest/Installation/Splunksarchitectureandwhatgetsinstalled

or something else?

Rachel
February 14, 2011

Agree with Earthbound

Jlch
February 14, 2011

Diagram is need

Earthbound
September 2, 2010

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!