Archive

How do I get new users acquainted with the basic anatomy of how Splunk Enterprise works?

Splunk Employee
Splunk Employee

I'm putting together materials for new users to our Splunk Enterprise environment. Can you point me toward some resources to get new users acquainted with Splunk Enterprise basic anatomy and function?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Here's a basic Splunk Enterprise 101 to get your new users on the right track.

Note: This answer applies to Splunk Enterprise and Splunk Cloud

Splunk Enterprise anatomy

Splunk Enterprise is a flexible data analytics platform that enables users to quickly analyze and share discoveries about data. Splunk scales to meet your needs, from a single-instance sandbox for testing out ideas, to a fully distributed enterprise data center with advanced security, and anywhere in between.

Splunk Enterprise has three functional components: forwarders, indexers, and search heads.

If you have Splunk Cloud, you won't need to worry about the configuration of these components, but understanding what they do will help you as you search and optimize data with Splunk Cloud.

Each component is a Splunk instance configured with just the functional parts it needs to fulfill its role. A stand-alone Splunk deployment on a single server can host all Splunk functions in a single installation. A distributed Splunk deployment on multiple servers can have multiple indexers and search heads deployed, configured, and load balanced across multiple forwarders in multiple locations. Even geographically distributed deployments extend these three functional components.

How Splunk Enterprise optimizes data for search

Splunk Enterprise uses a simple, tiered data structure to ingest and organize your data for easy and efficient searching on its way through the Splunk data pipeline.

  • Forwarder performs data input: A forwarder is a Splunk component that forwards data to a Splunk indexer or another forwarder, or to a third-party system. Example data sources include applications, servers, databases, card readers, network components, and so on.
  • Indexer performs indexing: An indexer is a Splunk component that stores and indexes data, transforms raw data into events, and writes the results into an index that can later be searched. Splunk Enterprise makes it easy to self-manage your index settings.
  • Search head performs search: A search is a written request to retrieve data from an indexer. A search head is the component that handles search management functions, directs search requests to a set of search peers or indexers, then merges the results back to the user for easy visualization and analysis.

How to get acquainted with Splunk Enterprise

  • Identify your data sources: Create a list of those data sources in preparation for hosting Splunk forwarders. Splunk Cloud users can review Overview of getting data into Splunk Cloud in the Splunk Cloud User Manual. Splunk Enterprise users can review Get started with getting data in in the Getting Data In Manual.
  • Get acquainted with how to use Splunk software: Cloud users can review Getting started with Splunk Cloud in the Splunk Cloud User Manual. All users can review Get started with search in the Search Manual.
  • Learn more about Splunk Enterprise and Splunk Cloud: Splunk Cloud users can review Welcome to Splunk Cloud! in the Splunk Cloud User Manual. Splunk Enterprise users can review About Splunk Enterprise in the Splunk Enterprise Overview Manual.
  • Party with the Splunk Community. Splunk has a thriving community of enthusiasts from all over the world who share resources, solutions, and inspirations. You're invited! Pick up a few tips to get started with Splunk Community, then grab a headlamp and join the fun in the Splunk Community!
  • Learn more about forwarders. The following video has details about getting data in to Splunk Enterprise using a universal forwarder.

Getting Data In to Splunk Enterprise with Forwarders

View solution in original post

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Here's a basic Splunk Enterprise 101 to get your new users on the right track.

Note: This answer applies to Splunk Enterprise and Splunk Cloud

Splunk Enterprise anatomy

Splunk Enterprise is a flexible data analytics platform that enables users to quickly analyze and share discoveries about data. Splunk scales to meet your needs, from a single-instance sandbox for testing out ideas, to a fully distributed enterprise data center with advanced security, and anywhere in between.

Splunk Enterprise has three functional components: forwarders, indexers, and search heads.

If you have Splunk Cloud, you won't need to worry about the configuration of these components, but understanding what they do will help you as you search and optimize data with Splunk Cloud.

Each component is a Splunk instance configured with just the functional parts it needs to fulfill its role. A stand-alone Splunk deployment on a single server can host all Splunk functions in a single installation. A distributed Splunk deployment on multiple servers can have multiple indexers and search heads deployed, configured, and load balanced across multiple forwarders in multiple locations. Even geographically distributed deployments extend these three functional components.

How Splunk Enterprise optimizes data for search

Splunk Enterprise uses a simple, tiered data structure to ingest and organize your data for easy and efficient searching on its way through the Splunk data pipeline.

  • Forwarder performs data input: A forwarder is a Splunk component that forwards data to a Splunk indexer or another forwarder, or to a third-party system. Example data sources include applications, servers, databases, card readers, network components, and so on.
  • Indexer performs indexing: An indexer is a Splunk component that stores and indexes data, transforms raw data into events, and writes the results into an index that can later be searched. Splunk Enterprise makes it easy to self-manage your index settings.
  • Search head performs search: A search is a written request to retrieve data from an indexer. A search head is the component that handles search management functions, directs search requests to a set of search peers or indexers, then merges the results back to the user for easy visualization and analysis.

How to get acquainted with Splunk Enterprise

  • Identify your data sources: Create a list of those data sources in preparation for hosting Splunk forwarders. Splunk Cloud users can review Overview of getting data into Splunk Cloud in the Splunk Cloud User Manual. Splunk Enterprise users can review Get started with getting data in in the Getting Data In Manual.
  • Get acquainted with how to use Splunk software: Cloud users can review Getting started with Splunk Cloud in the Splunk Cloud User Manual. All users can review Get started with search in the Search Manual.
  • Learn more about Splunk Enterprise and Splunk Cloud: Splunk Cloud users can review Welcome to Splunk Cloud! in the Splunk Cloud User Manual. Splunk Enterprise users can review About Splunk Enterprise in the Splunk Enterprise Overview Manual.
  • Party with the Splunk Community. Splunk has a thriving community of enthusiasts from all over the world who share resources, solutions, and inspirations. You're invited! Pick up a few tips to get started with Splunk Community, then grab a headlamp and join the fun in the Splunk Community!
  • Learn more about forwarders. The following video has details about getting data in to Splunk Enterprise using a universal forwarder.

Getting Data In to Splunk Enterprise with Forwarders

View solution in original post

Splunk Employee
Splunk Employee

Added related video.

0 Karma