Splunk® Validated Architectures

Splunk Validated Architectures

Topology components

The following table shows the tiers and components of Splunk software deployments. It includes the icons used to represent each component in SVA diagrams, a description of the component, and additional notes.

Tier Component Icon Description Notes
Management Deployment Server (DS) This image is an icon that represents the Deployment Server component. The deployment server manages configuration of forwarder configuration. Should be deployed on a dedicated instance. It can be virtualized for easy failure recovery.
  License Manager (LM) This image is an icon that represents the License Manager component. The license manager is required by other Splunk software components to enable licensed features and track daily data ingest volume. The license manager role has minimal capacity and availability requirements and can be colocated with other management functions. It can be virtualized for easy failure recovery.
  Monitoring Console (MC) This image is an icon that represents the Monitoring Console component. The monitoring console provides dashboards for usage and health monitoring of your environment. It also contains a number of prepackaged platform alerts that can be customized to provide notifications for operational issues. In clustered environments, the MC can be colocated with the Master Node, in addition to the License Master and Deployment server function in non-clustered deployments. It can be virtualized for easy failure recovery.
  Cluster Manager (CM) This image is an icon that represents the Cluster Manager component. The cluster manager is the required coordinator for all activity in a clustered deployment. In clusters with a large number of index buckets (high data volume/retention), the cluster manager will likely require a dedicated server to run on. It can be virtualized for easy failure recovery.
  Search Head Cluster Deployer (SHC-D) This image is an icon that represents the Search Head Cluster Deployer component. The search head cluster deployer is needed to bootstrap a SHC and manage Splunk configuration deployed to the cluster. The SHC-D is not a runtime component and has minimal system requirements. It can be colocated with other management roles. Note: Each SHC requires its own SHC-deployer function. It can be virtualized for easy failure recovery.
Search Search Head (SH) This image is an icon that represents the Search Head component. The search head provides the UI for Splunk users and coordinates scheduled search activity. Search heads are dedicated Splunk software instances in distributed deployments. Search heads can be virtualized for easy failure recovery, provided they are deployed with appropriate CPU and memory resources.
  Search Head Cluster (SHC) This image is an icon that represents the Search Head Cluster component. A search head cluster is a pool of at least three clustered Search Heads. It provides horizontal scalability for the search head tier and transparent user failover in case of outages. Search head clusters require dedicated servers of ideally identical system specifications.

Search head cluster members can be virtualized for easy failure recovery, provided they are deployed with appropriate CPU and memory resources.

Indexing Indexer This image is an icon that represents the Indexer component. Indexers are the heart and soul of a Splunk deployment. They process and index incoming data and also serve as search peers to fulfill search requests initiated on the search tier. Indexers must always be on dedicated servers in distributed or clustered deployments. In a single server deployment, the indexer will also provide the search UI and license master functions. Indexers perform best on bare metal servers or in dedicated, high-performance virtual machines, if adequate resources can be guaranteed.
Data Collection Forwarders and other data collection components This image is an icon that represents forwarders and other data collection components. General icon for any component involved in data collection. This includes universal and heavy forwarders, network data inputs and other forms of data collection (HEC, Kafka, etc.)
  Splunk Connect for Syslog (SC4S) This image is an icon that represents the Splunk Connect for Syslog component. SC4S is the current best practice approach for SYSLOG data collection. We created a dedicated icon for SC4S to reflect a fundamentally different, containerized deployment model for this data collection tier component.
Last modified on 12 March, 2024
About Applied Splunk Validated Architectures   Topology selection guidance

This documentation applies to the following versions of Splunk® Validated Architectures: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters