Solved: Splunk Architecture in own words

palisetty · ‎01-07-2020

Hello,
Now that I am done with the exam, I want to explain Splunk Architecture in my own understanding elements. Kindly correct me if possible.

Step 1: Machine data is generated (suppose from a company A).
Step 2: Splunk forwarder which is installed on A's web server gets the data.
Step 3: Heavy forwarder parses the data and masks the data as needed.
Step 4: The data is sent to Universal forwarder.
Step 5: Universal Forwarder forwards the data to Indexer.
Step 6: Indexer indexes the data, transforms raw data into events and stores the data into the Index.
Step 7: When any user enters a search string on the search head, it distributes the data to the Indexer Indexer returns the result to the search head where it enhances the result and displays it to the user.
Step 8: User may use this data for statistics and visualization perspective.

gcusello · ‎01-07-2020

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

View solution in original post

gcusello · ‎01-07-2020

Hi @palisetty,
there some errors:
Step 1: Machine data is generated by a system (external to Splunk).
Step 2: Splunk Universal Forwarder (which is installed on the system) gets the data.
Step 3: Universal Forwarder forwards the data to Indexer or (when poresent) to Heavy Forwarders.
Step 4.1: Heavy Forwarders (when present) parse the data, transforms raw data into events and eventually mask the data as needed
Step 4.2: Indexers (when not present Heavy Forwardes) parse the data, transforms raw data into events and eventually mask the data as needed.
Step 5: Indexer indexes the data and stores the data into the Index.
Step 6: When any user runs a search on the search head, it distributes the request to the Indexers that return the results to the Search Head where it eventually enhances the result (using lookups) and displays them to the user.
Step 8: User may use this data for the uses he wants.

You can find infos at:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Deploy/Componentsofadistributedenvironment
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Howindexingworks

Ciao.
Giuseppe

Splunk Architecture in own words

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...