Deployment Architecture

What does Splunk Indexer, Search Head and Forwarder log the first time it connects?

Path Finder


I have a Splunk (Enterprise) PROD system and I need to figure out the connectivity between the various components.

I have managed to figure out the components - 3 Search Heads + 6 indexers + many forwarders.
(Query used: | rest /services/server/info | dedup splunk_server,server_roles | table splunk_server,server_roles)

I do not have access to the conf files, limited access to REST services, and full access to _internal files.

Can you please tell me how to figure out the connectivity from the internal log files? Do each of the Splunk components log anything each time they connect?


Tags (1)
0 Karma

Esteemed Legend

Your best best bet is to use the Montoring Console features:

This will provide all of the capability and searches that you should need.

0 Karma

Esteemed Legend

Hi deepak02,
usually it's a Splunk best practice to send all Splunk servers internal logs to indexers so they are searchable (e.g. in the Splunk Monitoring Console you can monitor only Splunk components that send their internal logs to indexers).

In addition in the internal logs there are many useful information for your daily jobs (e.g. control of connected forwarders).

See for all the information you can have from internal logs.


0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...