Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question - What is a "single-instance Splunk environment"?

rogue_carrot
Communicator
‎07-03-2018 04:13 PM

Hello Team,

I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?

I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

What exactly is a single-instance Splunk environment
Figure 1: Settings -> Add Data -> Forwarder

Thanks for reading this question.

Regards,

Your Rogue Carrot

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2018 07:25 PM

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-04-2018 06:02 PM

This is more commonly called an All-in-One or AiO. It just means that all Splunk functions are occurring on the same box. This is fine for testing and labs but should never be the case in any production environment.

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 09:56 AM

I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2018 01:17 PM

Yes, agreed

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 10:55 AM

Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2018 01:19 PM

What difference does it make what your thing is called? Build what you need.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-04-2018 04:54 PM

-- I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

Keep in mind please that the forwarders are external in either the standalone set-up (single-instance/server) or the distributed scenario.

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 10:53 AM

external?

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-05-2018 11:24 AM

Right, external to the Splunk environment.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2018 07:25 PM

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 09:55 AM

I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top