Dashboards & Visualizations

How to properly document (diagram) a splunk enviroment

avalle
Path Finder

I have an all in one Splunk environment (indexers, master, deployment all run on the same server) how do i document the set up in a diagram. What is the best way and what configuration files have the information. My current Splunk environment has all independent servers therefore I am not sure how an all in one works.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

If you have a standalone server, then you should only have a single indexer with no master node..

As for the diagram, you should have a single box with the indexer/SH/DS icon next to it which would indicate a standalone Splunk server. You should then have a few servers representing your forwarders sending info to that standalone server. When you scale out your Splunk environment, you can simply add more boxes and move your labeling from the standalone to the new boxes

View solution in original post

0 Karma

ddrillic
Ultra Champion

I ended up downloading the visio from Diagram of Splunk Common Network Ports

Then I built my own diagrams - gorgeous work by @rob_jordan.

skoelpin
SplunkTrust
SplunkTrust

If you have a standalone server, then you should only have a single indexer with no master node..

As for the diagram, you should have a single box with the indexer/SH/DS icon next to it which would indicate a standalone Splunk server. You should then have a few servers representing your forwarders sending info to that standalone server. When you scale out your Splunk environment, you can simply add more boxes and move your labeling from the standalone to the new boxes

0 Karma

avalle
Path Finder

Thank you! Right now I can't change the way the environment is set up I need to document the current set up in order to move forward with changing the environment. You may be right the server may not be a master node. I know it is not clustered and I am used to a clustered environment which mine has been for years. I guess I am having a problem understanding how the logs move through one environment. The UF send to the Indexers and they send it to the SH in the same IP? I guess different ports?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did this answer your question? If so, can you accept it?

0 Karma

avalle
Path Finder

Yes thank you! I have accepted! I am still waiting to get access to the environment to confirm the set up.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

The forwarders will send the data to the indexer(s) on port 9997 by default. The data will then live on the indexers and when a user/scheduled search kicks off on the searchhead, it will then query the indexers via the management port 8089.

The management port is used often throughout Splunk and is also the port the deployment server uses. When you start clustering, the indexers will use port 8080 to talk to each other and when accessing the search head, you will use port 8000.

To sum this up, you are not sending data to the search head. The forwarders send it to the indexers and the search heads will then query the indexers. Each server will have its own IP address, so if you had a single search head and a single indexer, you would logon to the Splunk GUI by going to the searchhead_IP:8000 which would then query the indexer for data.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...