Deployment Architecture

Splunk Architecture in own words

palisetty
Communicator

Hello,
Now that I am done with the exam, I want to explain Splunk Architecture in my own understanding elements. Kindly correct me if possible.

Step 1: Machine data is generated (suppose from a company A).
Step 2: Splunk forwarder which is installed on A's web server gets the data.
Step 3: Heavy forwarder parses the data and masks the data as needed.
Step 4: The data is sent to Universal forwarder.
Step 5: Universal Forwarder forwards the data to Indexer.
Step 6: Indexer indexes the data, transforms raw data into events and stores the data into the Index.
Step 7: When any user enters a search string on the search head, it distributes the data to the Indexer Indexer returns the result to the search head where it enhances the result and displays it to the user.
Step 8: User may use this data for statistics and visualization perspective.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...