Implement a distributed deployment
This topic provides a high-level framework for implementing a basic multi-tiered distributed environment such as this:
To implement this sort of distributed environment, you need to install and configure three types of components:
- Forwarders (typically, universal forwarders)
- Search head(s)
Install and configure the indexers
By default, all full Splunk Enterprise instances serve as indexers. For horizontal scaling, you can install multiple indexers on separate machines.
To learn how to install a Splunk Enterprise instance, read the Installation Manual.
Once you've installed the indexers, see the Managing Indexers and Clusters of Indexers manual for information on configuring each indexer to meet the needs of your specific deployment.
To prepare your indexers to receive data from forwarders, see "Enable a receiver" in the Forwarding Data manual. In addition, if the indexers will be consuming some data inputs directly, rather than through forwarders, see the Getting Data In manual for information on configuring data inputs. The diagram in this topic shows two direct inputs, one from a firewall and another from a data router.
If data availability, data fidelity, and data recovery are key issues for your deployment, you should consider deploying an indexer cluster, rather than a series of individual indexers. For further information, see "About indexer clusters and index replication" in the Managing Indexers and Clusters of Indexers manual.
Install and configure the forwarders
A typical distributed deployment has a large number of forwarders feeding data to a few indexers. For most forwarding purposes, the universal forwarder is the best choice. The universal forwarder is a separate downloadable from the full Splunk Enterprise instance.
To learn how to install and configure forwarders, read the Forwarding Data manual.
Then read the Getting Data In manual for information on configuring each forwarder's data inputs.
Install and configure the search heads
You can install one or more search heads to handle your distributed search needs. Search heads are full Splunk Enterprise instances that have been specially configured to managed searches across a set of indexers. Users run searches by connecting to the search head's Splunk Web.
To learn how to configure a search head, read the Distributed Search manual.
Other deployment tasks
You can use the Splunk Enterprise deployment server to simplify the job of updating the deployment components. For details on how to configure a deployment server, see the Updating Splunk Enterprise Instances manual.
Components and roles
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15