Deployment Architecture

Question - What is a "single-instance Splunk environment"?

Communicator

Hello Team,

I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?

I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

What exactly is a single-instance Splunk environment
Figure 1: Settings -> Add Data -> Forwarder

Thanks for reading this question.

Regards,

Your Rogue Carrot

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

View solution in original post

Esteemed Legend

This is more commonly called an All-in-One or AiO. It just means that all Splunk functions are occurring on the same box. This is fine for testing and labs but should never be the case in any production environment.

0 Karma

Communicator

I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.

0 Karma

Esteemed Legend

Yes, agreed

0 Karma

Communicator

Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations

0 Karma

Esteemed Legend

What difference does it make what your thing is called? Build what you need.

0 Karma

Ultra Champion

-- I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

Keep in mind please that the forwarders are external in either the standalone set-up (single-instance/server) or the distributed scenario.

0 Karma

Communicator

external?

0 Karma

Ultra Champion

Right, external to the Splunk environment.

0 Karma

SplunkTrust
SplunkTrust

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

View solution in original post

Communicator

I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o

0 Karma