Deployment Architecture

How do I see what Splunk components are in my enviornment?


Good Morning Everyone!


I am trying to see what components are in my Splunk environment.  I just inherited a system with splunk on it and as far as I know I am on a management server and i am accessing a splunk web client which i presume is the search head.... (that's one component down...i think).

I understand Splunk enterprise needs a forwarder...and an indexer and a search head to function correctly...but without knowing what components i have inherited i am not really sure that it is working.


also I have done some initial research on an message i received upon barely logging in... "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch on an indexer..


^A)my research has shown me that its possible splunk is forwarding to itself.

B) i can remedy the error by editing the .conf file responsible for setting the min. quota

c) assess the storage available and allocate more space to said directory.


knowing the above options ...what do you think is best in my scenario? again i am super new to this enviornment


Labels (1)
0 Karma



Splunk instance can be configured as standalone deployment or as part of the clustered component. Standalone deployment basically inherits all of the components into a single instance where you can index incoming data and search them while acting as License Master and monitoring console. There is a possibility that your particular instance might be either standalone or part of indexer because normally other Splunk components are less likely to get alerts on free space. I probably begin by checking your host's disk utilization and check $SPLUNK_HOME/etc/system/local/server.conf to get any hint of this deployment. If you have [clustering]  stanza defined inside your server.conf file, high chance that there may be other Splunk components residing in your environment.

You can also use Splunk cmd btool to check configuration which should help you find out the topology of the deployment.

0 Karma



This is a good starting point for new admins with new installation. Following it gives you a easy way to figure out what you have in your environment.

Your 2nd question. This means that you have run out of disk space on indexer and you need to get more space or update your retention to get more space.

a) splunk allways store it's internal logs to it's internal indexes (_<something>)

b) it will come back after some time and finally when you have run out of disk space your environment didn't work anymore.

c) Add more space for splunk and/or check retentions.

r. Ismo

Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...