Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between splunkagent and splunkforwarder?

sarnagar
Contributor
‎04-21-2015 11:59 PM

splunk and splunkforwarder

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-22-2015 12:12 AM

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-22-2015 12:12 AM

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

Reply
Solved! Jump to solution

sarnagar
Contributor
‎04-22-2015 12:26 AM

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

0 Karma
Reply
Solved! Jump to solution

sarnagar
Contributor
‎04-22-2015 12:40 AM

Okay...So what is the need of "/opt/splunk/bin/splunk status -Splunk indexer/Web UI instance" on the server?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-22-2015 12:44 AM

I think you should start here http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Aboutindexesandindexers

and here http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Aboutforwardingandreceivingdata

to get an idea what an indexer is and for what it is needed. The second link is for the forwarder.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-22-2015 12:36 AM

I'm not sure why you would want such a setup, as your full splunk install can do whatever the forwarder can, and it's more complicated to configure this way.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-22-2015 12:34 AM

/opt/splunk/bin/splunk status is your Splunk indexer/Web UI instance and /opt/splunkforwarder/bin/splunk status is your Splunk forwarder which usually reads logs on remote servers and sends it to the Splunk indexer.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-22-2015 12:09 AM

A forwarder does not index your data, it only "collects" it and then sends ("forwards") it to an indexer. Other than forwarders, important splunk roles are indexers and search heads. See here for example.
I'm not sure what a splunk agent is. Where did you come across that?

0 Karma
Reply
Solved! Jump to solution

sarnagar
Contributor
‎04-22-2015 12:32 AM

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...