Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question - What is a "single-instance Splunk environment"?

rogue_carrot
Communicator
‎07-03-2018 04:13 PM

Hello Team,

I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?

I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

What exactly is a single-instance Splunk environment
Figure 1: Settings -> Add Data -> Forwarder

Thanks for reading this question.

Regards,

Your Rogue Carrot

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2018 07:25 PM

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-04-2018 06:02 PM

This is more commonly called an All-in-One or AiO. It just means that all Splunk functions are occurring on the same box. This is fine for testing and labs but should never be the case in any production environment.

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 09:56 AM

I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2018 01:17 PM

Yes, agreed

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 10:55 AM

Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2018 01:19 PM

What difference does it make what your thing is called? Build what you need.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-04-2018 04:54 PM

-- I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

Keep in mind please that the forwarders are external in either the standalone set-up (single-instance/server) or the distributed scenario.

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 10:53 AM

external?

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-05-2018 11:24 AM

Right, external to the Splunk environment.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-03-2018 07:25 PM

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-05-2018 09:55 AM

I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...