Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Splunk Enterprise architecture and processes

This topic discusses the internal architecture and processes of Splunk Enterprise at a high level. If you're looking for information about third-party components used in Splunk, refer to the credits section in the Release notes.

Processes

A Splunk Enterprise server runs two processes (installed as services on Windows systems) on your host, splunkd and splunkweb:

  • splunkd is a distributed C/C++ server that accesses, processes and indexes streaming IT data. It also handles search requests. splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.
    • Pipelines are single threads inside the splunkd process, each configured with a single snippet of XML.
    • Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues. splunkd supports a command line interface for searching and viewing results.
  • splunkweb is a Python-based application server based on CherryPy that provides the Splunk Web user interface. It allows users to search and navigate data stored by Splunk servers and to manage your Splunk deployment through a Web interface.

splunkweb and splunkd can both communicate with your Web browser via REpresentational State Transfer (REST):

  • splunkd also runs a Web server on port 8089 with SSL/HTTPS turned on by default.
  • splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.

On Windows systems, splunkweb.exe is a third-party, open-source executable that Splunk renames from pythonservice.exe. Since it is a renamed file, it does not contain the same file version information as other Splunk for Windows binaries.

Read information on other Windows third-party binaries distributed with Splunk.

Splunk Enterprise and Windows in Safe Mode

Neither the splunkd, the splunkweb, nor the SplunkForwarder services starts if Windows is in Safe Mode. Additionally, if you attempt to start Splunk from the Start Menu while in Safe Mode, Splunk does not alert you to the fact that its services are not running.

Additional processes for Splunk Enterprise on Windows

On Windows instances of Splunk, in addition to the two services described above, there are additional processes that Splunk uses when you create specific data inputs on a Splunk instance. These inputs run when configured by certain types of Windows-specific data input.

splunk.exe

splunk.exe is the control application for the Windows version of Splunk. It provides the command line interface (CLI) for the program, and allows you to start, stop, and configure Splunk, similar to the *nix splunk program.

Important: splunk.exe requires an elevated context to run because of how it controls the splunkd and splunkweb processes. Splunk might not function correctly if this executable is not given the appropriate permissions on your Windows system. This is not an issue if you install Splunk as the Local System user.

splunk-admon

splunk-admon.exe is spawned by splunkd whenever you configure an Active Directory (AD) monitoring input. splunk-admon's purpose is to attach to the nearest available AD domain controller and gather change events generated by AD. Splunk then stores these events in the desired index.

splunk-perfmon

splunk-perfmon.exe runs when you configure Splunk to monitor performance data on the local machine. This service attaches to the Performance Data Helper libraries, which query the performance libraries on the system and extract performance metrics both instantaneously and over time.

splunk-netmon

splunk-netmon runs when you configure Splunk to monitor Windows network information on the local machine.

splunk-regmon

splunk-regmon.exe runs when you configure a Registry monitoring input in Splunk. This input initially writes a baseline for the Registry as it currently exists (if desired), then monitors changes to the Registry over time. Those changes come back into Splunk as searchable events.

splunk-winevtlog

You can use this utility to test defined event log collections, and it outputs events as they are collected for investigation. Splunk has a Windows event log input processor built into the engine.

splunk-winhostmon

splunk-winhostmon runs when you configure a Windows host monitoring input in Splunk. This input gets detailed information about Windows hosts.

splunk-winprintmon

splunk-winprintmon runs when you configure a Windows print monitoring input in Splunk. This input gets detailed information about Windows printers and print jobs on the local system.

splunk-wmi

When you configure a performance monitoring, event log or other input against a remote computer, this program starts up. Depending on how you configure the input, either it attempts to attach to and read Windows event logs as they come over the wire, or it executes a Windows Query Language (WQL) query against the Windows Management Instrumentation (WMI) provider on the specified remote machine(s). Splunk then stores the events.

Architecture diagram

Architecture-new.png

PREVIOUS
Estimate your storage requirements
  NEXT
Information on Windows third-party binaries that come with Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters