https://community.splunk.com/t5/Deployment-Architecture/What-is-Splunk-Search-Head/m-p/689613#M28244 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248866">@thevikramyadav</a>&nbsp;... all the best for your splunk learning..&nbsp;</P><P><BR />remember these 3 components...&nbsp;<BR />1) Splunk Universal forwarder collects the logs and send it to Splunk indexer.&nbsp;</P><P>2) Splunk indexer, indexes(ingests) the logs(it reads the logs, word by word, and write it down to flat files for searching)</P><P>3) Splunk Search head - its the webserver which provides the Splunk GUI login page, it reads the search requests from the users and send it to indexer. and collects the results from indexer, consolidates, reports it.&nbsp;</P><P>&nbsp;</P><P>From Splunk documentations:</P><P>In a<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Distributedsearch" href="https://docs.splunk.com/Splexicon:Distributedsearch" target="_blank">distributed search</A></STRONG><SPAN>&nbsp;</SPAN>environment, a Splunk Enterprise instance that handles<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Searchmanagement" href="https://docs.splunk.com/Splexicon:Searchmanagement" target="_blank">search management</A></STRONG><SPAN>&nbsp;</SPAN>functions, directing search requests to a set of<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Searchpeer" href="https://docs.splunk.com/Splexicon:Searchpeer" target="_blank">search peers</A></STRONG><SPAN>&nbsp;</SPAN>and then merging the results back to the user.</P><P>A Splunk Enterprise instance can function as both a search head and a search peer. A search head that performs only searching, and not any indexing, is referred to as a dedicated search head.</P><P><STRONG><A title="Splexicon:Searchheadcluster" href="https://docs.splunk.com/Splexicon:Searchheadcluster" target="_blank">Search head clusters</A></STRONG><SPAN>&nbsp;</SPAN>are groups of search heads that coordinate their activities.</P><P>Search heads are also required components of<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Indexercluster" href="https://docs.splunk.com/Splexicon:Indexercluster" target="_blank">indexer clusters.</A></STRONG></P> Tue, 04 Jun 2024 21:03:32 GMT inventsekar 2024-06-04T21:03:32Z https://community.splunk.com/t5/Deployment-Architecture/What-is-Splunk-Search-Head/m-p/689612#M28243 <P>Can someone help me to get more idea on Splunk Search Head and how it work's ?</P> Tue, 04 Jun 2024 20:54:33 GMT https://community.splunk.com/t5/Deployment-Architecture/What-is-Splunk-Search-Head/m-p/689612#M28243 thevikramyadav 2024-06-04T20:54:33Z https://community.splunk.com/t5/Deployment-Architecture/What-is-Splunk-Search-Head/m-p/689613#M28244 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248866">@thevikramyadav</a>&nbsp;... all the best for your splunk learning..&nbsp;</P><P><BR />remember these 3 components...&nbsp;<BR />1) Splunk Universal forwarder collects the logs and send it to Splunk indexer.&nbsp;</P><P>2) Splunk indexer, indexes(ingests) the logs(it reads the logs, word by word, and write it down to flat files for searching)</P><P>3) Splunk Search head - its the webserver which provides the Splunk GUI login page, it reads the search requests from the users and send it to indexer. and collects the results from indexer, consolidates, reports it.&nbsp;</P><P>&nbsp;</P><P>From Splunk documentations:</P><P>In a<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Distributedsearch" href="https://docs.splunk.com/Splexicon:Distributedsearch" target="_blank">distributed search</A></STRONG><SPAN>&nbsp;</SPAN>environment, a Splunk Enterprise instance that handles<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Searchmanagement" href="https://docs.splunk.com/Splexicon:Searchmanagement" target="_blank">search management</A></STRONG><SPAN>&nbsp;</SPAN>functions, directing search requests to a set of<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Searchpeer" href="https://docs.splunk.com/Splexicon:Searchpeer" target="_blank">search peers</A></STRONG><SPAN>&nbsp;</SPAN>and then merging the results back to the user.</P><P>A Splunk Enterprise instance can function as both a search head and a search peer. A search head that performs only searching, and not any indexing, is referred to as a dedicated search head.</P><P><STRONG><A title="Splexicon:Searchheadcluster" href="https://docs.splunk.com/Splexicon:Searchheadcluster" target="_blank">Search head clusters</A></STRONG><SPAN>&nbsp;</SPAN>are groups of search heads that coordinate their activities.</P><P>Search heads are also required components of<SPAN>&nbsp;</SPAN><STRONG><A title="Splexicon:Indexercluster" href="https://docs.splunk.com/Splexicon:Indexercluster" target="_blank">indexer clusters.</A></STRONG></P> Tue, 04 Jun 2024 21:03:32 GMT https://community.splunk.com/t5/Deployment-Architecture/What-is-Splunk-Search-Head/m-p/689613#M28244 inventsekar 2024-06-04T21:03:32Z