Deployment Architecture

Splunk Architecture in own words

palisetty
Communicator

Hello,
Now that I am done with the exam, I want to explain Splunk Architecture in my own understanding elements. Kindly correct me if possible.

Step 1: Machine data is generated (suppose from a company A).
Step 2: Splunk forwarder which is installed on A's web server gets the data.
Step 3: Heavy forwarder parses the data and masks the data as needed.
Step 4: The data is sent to Universal forwarder.
Step 5: Universal Forwarder forwards the data to Indexer.
Step 6: Indexer indexes the data, transforms raw data into events and stores the data into the Index.
Step 7: When any user enters a search string on the search head, it distributes the data to the Indexer Indexer returns the result to the search head where it enhances the result and displays it to the user.
Step 8: User may use this data for statistics and visualization perspective.

Tags (1)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

View solution in original post

gcusello
Esteemed Legend

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...