Deployment Architecture

What is the difference between splunkagent and splunkforwarder?

sarnagar
Contributor

splunk and splunkforwarder

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

sarnagar
Contributor

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

0 Karma

sarnagar
Contributor

Okay...So what is the need of "/opt/splunk/bin/splunk status -Splunk indexer/Web UI instance" on the server?

0 Karma

MuS
SplunkTrust
SplunkTrust

I think you should start here http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Aboutindexesandindexers

and here http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Aboutforwardingandreceivingdata

to get an idea what an indexer is and for what it is needed. The second link is for the forwarder.

0 Karma

jeffland
SplunkTrust
SplunkTrust

I'm not sure why you would want such a setup, as your full splunk install can do whatever the forwarder can, and it's more complicated to configure this way.

0 Karma

MuS
SplunkTrust
SplunkTrust

/opt/splunk/bin/splunk status is your Splunk indexer/Web UI instance and /opt/splunkforwarder/bin/splunk status is your Splunk forwarder which usually reads logs on remote servers and sends it to the Splunk indexer.

0 Karma

jeffland
SplunkTrust
SplunkTrust

A forwarder does not index your data, it only "collects" it and then sends ("forwards") it to an indexer. Other than forwarders, important splunk roles are indexers and search heads. See here for example.
I'm not sure what a splunk agent is. Where did you come across that?

0 Karma

sarnagar
Contributor

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...