Deployment Architecture

Question - What is a "single-instance Splunk environment"?

rogue_carrot
Communicator

Hello Team,

I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?

I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

What exactly is a single-instance Splunk environment
Figure 1: Settings -> Add Data -> Forwarder

Thanks for reading this question.

Regards,

Your Rogue Carrot

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

Happy Splunking!

View solution in original post

woodcock
Esteemed Legend

This is more commonly called an All-in-One or AiO. It just means that all Splunk functions are occurring on the same box. This is fine for testing and labs but should never be the case in any production environment.

0 Karma

rogue_carrot
Communicator

I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.

0 Karma

woodcock
Esteemed Legend

Yes, agreed

0 Karma

rogue_carrot
Communicator

Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations

0 Karma

woodcock
Esteemed Legend

What difference does it make what your thing is called? Build what you need.

0 Karma

ddrillic
Ultra Champion

-- I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

Keep in mind please that the forwarders are external in either the standalone set-up (single-instance/server) or the distributed scenario.

0 Karma

rogue_carrot
Communicator

external?

0 Karma

ddrillic
Ultra Champion

Right, external to the Splunk environment.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

Happy Splunking!

rogue_carrot
Communicator

I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...