Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Components and roles

Each segment of the data pipeline directly corresponds to a role that one or more Splunk Enterprise components can perform. For instance, data input is a Splunk Enterprise role. Either an indexer or a forwarder can perform the data input role. For more information on the data pipeline, look here.

How components support the data pipeline

This table correlates the pipeline segments and Splunk Enterprise roles with the components that can perform them:

Data pipeline segment Role Components that can perform this role
Data input Data input indexer
universal forwarder
heavy forwarder
Parsing Parsing indexer
heavy forwarder
Indexing Indexing indexer
Search Search indexer
search head
n/a Managing distributed updates deployment server

As the table indicates, some roles can be filled by diffferent components depending on the situation. For instance, data input can be handled by an indexer in single-machine deployments, or by a forwarder in larger deployments.

For more information on components, look here.

Components in action

These are some of the common ways in which Splunk Enterprise functionality is distributed and managed.

Forward data to an indexer

In this deployment scenario, forwarders handle data input, collecting data and send it on to a Splunk Enterprise indexer. Forwarders come in two flavors:

  • Universal forwarders. These maintain a small footprint on their host machine. They perform minimal processing on the incoming data streams before forwarding them on to an indexer, also known as the receiver.
  • Heavy forwarders. These retain much of the functionality of a full Splunk Enterprise instance. They can parse data before forwarding it to the receiving indexer. (See "How data moves through Splunk Enterprise" for the distinction between parsing and indexing.)

Both types of forwarders tag data with metadata such as host, source, and source type, before forwarding it on to the indexer.

Forwarders allow you to use resources efficiently while processing large quantities or disparate types of data. They also enable a number of interesting deployment topologies, by offering capabilities for load balancing, data filtering, and routing.

For an extended discussion of forwarders, including configuration and detailed use cases, see "About forwarding and receiving" in the Forwarding Data manual.

Search across multiple indexers

In distributed search, Splunk Enterprise instances send search requests to other Splunk Enterprise instances and merge the results back to the user. This is useful for a number of purposes, including horizontal scaling, access control, and managing geo-dispersed data.

The Splunk Enterprise instance that manages search requests is called the search head. The instances that maintain the indexes and perform the actual searching are indexers, called search peers in this context.

For an extended discussion of distributed search, including configuration and detailed use cases, see "About distributed search" in the Distributed Search manual.

Manage distributed updates

When dealing with distributed deployments consisting potentially of many forwarders, indexers, and search heads, the Splunk Enterprise deployment server simplifies the process of configuring and updating Splunk Enterprise components, mainly forwarders and indexers. Using the deployment server, you can group the components (referred to as deployment clients in this context) into server classes, making it possible to push updates based on common characteristics.

A server class is a set of Splunk Enterprise instances that share configurations. Server classes are typically grouped by OS, machine type, application area, location, or other useful criteria. A single deployment client can belong to multiple server classes, so a Linux universal forwarder residing in the UK, for example, might belong to a Linux server class and a UK server class, and receive configuration settings appropriate to each.

For an extended discussion of deployment management, see "About deployment server" in the Updating Splunk Enterprise Instances manual.

For more information

In summary, these are the fundamental components and features of a Splunk Enterprise distributed environment:

For guidance on where to configure various Splunk Enterprise settings, see "Configuration parameters and the data pipeline" in the Admin Manual. That topic lists key configuration settings and the data pipeline segments they act upon. If you know which components in your Splunk Enterprise topology handle which segments of the data pipeline, you can use that topic to determine where to configure the various settings. For example, if you use a search head to handle the search segment, you'll need to configure any search-related settings on the search head and not on your indexers.

Scale your deployment: Splunk Enterprise components
Implement a distributed deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters