Start implementing your distributed deployment
Splunk Enterprise deployments range from single-instance departmental deployments, indexing a few gigabytes of data a day and servicing just a few users searching the data, to large enterprise deployments distributed across multiple data centers, with indexing requirements in the terabyte range and searches performed by hundreds of people.
A production deployment of Splunk Enterprise typically requires that you install and configure a variety of components, such as forwarders, search heads, and indexers. This manual includes a series of frameworks for implementing common distributed deployment scenarios, ranging in size from departmental to large enterprise deployments.
The frameworks serve as high-level roadmaps for navigating the implementation process. Each framework describes a common deployment scenario. It then provides an overview of the process for implementing that scenario, with links to detailed documentation for every step of the process.
Choose the scenario that most closely reflects your need, and follow its framework. The framework will take you to the point where you have a running deployment. At that point, you are ready to focus on the range of administration tasks, like setting up users, dealing with security concerns, and, finally, creating knowledge objects like dashboards and searches for your end users.
Splunk Enterprise components and deployment scenarios
To implement a Splunk Enterprise production deployment, you must install a variety of Splunk Enterprise components. The specific components that you install depend on the deployment type. Even to implement a single-instance deployment, in which a single Splunk Enterprise instance serves as both indexer and search head, you need to install forwarders on the data-generating hosts, to feed data to the instance. To scale beyond a single instance, you must install and configure several types of Splunk Enterprise components.
The components that you configure vary according to the size and the specific requirements of your deployment. For example, a deployment that ensures high availability of data requires a different configuration from a deployment where high availability is not a strong concern.
The different components are, for the most part, built from the same Splunk Enterprise software package, with different configurations to meet the different roles. The exception is the universal forwarder, which uses a lightweight package of Splunk Enterprise.
For a thorough discussion of components, see "Scale your deployment with Splunk Enterprise components."
How to get started
The process of implementing your deployment requires that you make a series of decisions based on your goals. It also requires that you follow procedures described in numerous topics that are spread across a large body of documentation. The procedures that you implement vary according to the needs of your deployment.
It can be difficult to determine the right set of procedures for your particular deployment needs, and then to locate all the procedures in the documentation. The intent of this chapter is to simplify this process. The topics in this chapter provide you with information to help you understand your deployment needs and make the right decisions from the start.
The chapter "Typical deployment scenarios, with implementation frameworks", which follows next, provides separate topics for each of several representative deployment types, or scenarios. These topics contain end-to-end deployment frameworks for each scenario. Each framework includes a set of high-level steps that you can follow to deploy the scenario, with links to topics that contain the detailed procedures for each step.
What to do next
Follow this path:
1. See "Types of deployments" to understand the choices you that you must make and the characteristics of various types of deployments.
2. In "Types of deployments", read through the high-level descriptions for the deployment types to find the one that best correlates to your need.
3. To proceed with your deployment, turn to the topic for the scenario that you want to implement, and follow its implementation framework. For example, "Small enterprise deployment: Single search head with multiple indexers."
The scenario topics mostly assume that you are implementing the deployments from scratch. The issues are similar for expansions of existing deployments, however. The topics discuss any issues that you particularly need to be aware of when migrating from a smaller, or otherwise different, deployment type.
4. See "Post-deployment activities" for guidance on the activities that you need to perform after you complete the initial deployment.
Key manuals for a distributed deployment
Types of distributed deployments
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2