Deployment Architecture
Highlighted

Question - What is a "single-instance Splunk environment"?

Communicator

Hello Team,

I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?

I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

What exactly is a single-instance Splunk environment
Figure 1: Settings -> Add Data -> Forwarder

Thanks for reading this question.

Regards,

Your Rogue Carrot

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

SplunkTrust
SplunkTrust

Hi @rogue_carrot,

In single-instance deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. This is normally used when you have small amount of data to input and process. So if your environment matching to the information provided in http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Singleindexer , you are running a "single-instance splunk environment"

Below links provides an overview of splunk deployments for more clarity

http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Deploymentcharacteristics
http://docs.splunk.com/Documentation/Splunk/7.1.1/Deploy/Distributedoverview#How_Splunk_Enterprise_s...

View solution in original post

Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Communicator

I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Ultra Champion

-- I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?

Keep in mind please that the forwarders are external in either the standalone set-up (single-instance/server) or the distributed scenario.

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Communicator

external?

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Ultra Champion

Right, external to the Splunk environment.

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Esteemed Legend

This is more commonly called an All-in-One or AiO. It just means that all Splunk functions are occurring on the same box. This is fine for testing and labs but should never be the case in any production environment.

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Communicator

I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Communicator

Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations

0 Karma
Highlighted

Re: Question - What is a "single-instance Splunk environment"?

Esteemed Legend

What difference does it make what your thing is called? Build what you need.

0 Karma