What a Splunk App for Windows Infrastructure deployment looks like

This topic explains the overall architecture of a Splunk App for Windows Infrastructure deployment.

For instructions on how to deploy the app, read "How to deploy the Splunk App for Windows Infrastructure."

Overview

At a minimum, the Splunk App for Windows Infrastructure consists of a "central" Splunk instance that contains the index and runs Splunk Web, and that users access to view the app.

The central Splunk instance can be one or more servers

A central Splunk instance can consist of one or more servers:

• An indexer that collects the data from itself or other Windows servers
• A search head that searches the data and hosts the application.

These services can be on the same server. If you want to scale the deployment for additional performance and incoming data volume, you can distribute the central Splunk instance by adding indexers and search heads.

The central Splunk instance can run on any Splunk-supported operating system

You can deploy the Splunk App for Windows Infrastructure on *nix search heads and use *nix indexers to index the data. In this scenario, *nix indexers must receive data sent to them from Windows forwarders - they cannot collect Windows data themselves.

The Splunk App for Windows Infrastructure can monitor many Windows servers at once

The Splunk App for Windows Infrastructure supports collecting data from hundreds of machines. There are many ways to configure the Splunk App for Windows Infrastructure, depending on your network's topology.

You monitor additional servers with your Splunk App for Windows Infrastructure deployment by:

• Installing universal forwarders on each Windows server or Active Directory domain controller you want to include in the environment.
• Configuring the forwarders to send data to the indexers in the central Splunk instance.
• Deploying the Splunk Add-on for Windows onto those forwarders.

The central Splunk instance indexes the incoming data and makes it available for viewing, searching, and reporting within the app.

Example deployment

The diagram below depicts an example Splunk App for Windows Infrastructure deployment.

Each Windows server or Active Directory domain controller on your network gets a Splunk universal forwarder. On that forwarder, you install the Splunk Add-on for Windows. This add-on collects Windows or Active Directory data and sends it to the indexer(s) in the central Splunk App for Windows Infrastructure instance.

The central Splunk App for Windows Infrastructure instance has at least a search head (with the Splunk App for Windows Infrastructure installed on it) and an indexer. The indexer indexes the Windows or Active Directory data (as shown by the black arrows), and the search head searches the indexer for that data (as shown by the green arrow). The indexer returns events to the search head (blue arrow). Users log into the search head to use the app and see the data.

Optionally, if any server in the central Splunk App for Windows Infrastructure instance is a Windows server, you can install the Splunk Add-on for Windows on that server to get that server's Windows data.

Splunk's Professional Services can help with questions and provide assistance with large or complex layouts.