Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Installation.

VijayA
Explorer
‎04-11-2023 05:06 AM

Hi,

I'm new to Splunk, trying to understand for Splunk we have 1 installation we need to customize it to work as Forwarder or Indexer or Search Head, So want to know which all files need to modify to work as forwarder or indexer.

Correct me if my understanding is wrong.

Please advise thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-11-2023 05:48 AM

Hi @VijayA,

A Splunk Enterprise installation can work as an Indexer, a Search or a Heavy Forwarder: the installation packet is always the same, and the role depends on the configuration.

What is the architecture you want to implement?

if you want a distributed architecture, you have to configure at least one Indexer and one Search Head, the difference is that the Indexer indexes logs and the Search Head is the user Front end.

Otherwise, you could have a Stand Alone server where the same server is the Indexer and the Search Head.

Instaed the Heavy Forwarder is used e.g. to pull logs from cloud or to receive syslogs.

Anyway, the server role depemds on your requirement: what are your requirements?

I hint to read the document https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf that gives you an overview of the possible architectures, at the same time I hint to contact a Splunk partner to analyze your requiremts and design your architecture, It isn't a good idea to start without any knowledge about Splunk architectures and features..

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

VijayA
Explorer
‎04-11-2023 05:55 AM

Thank you for your inputs and document.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-11-2023 05:48 AM

Hi @VijayA,

A Splunk Enterprise installation can work as an Indexer, a Search or a Heavy Forwarder: the installation packet is always the same, and the role depends on the configuration.

What is the architecture you want to implement?

if you want a distributed architecture, you have to configure at least one Indexer and one Search Head, the difference is that the Indexer indexes logs and the Search Head is the user Front end.

Otherwise, you could have a Stand Alone server where the same server is the Indexer and the Search Head.

Instaed the Heavy Forwarder is used e.g. to pull logs from cloud or to receive syslogs.

Anyway, the server role depemds on your requirement: what are your requirements?

I hint to read the document https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf that gives you an overview of the possible architectures, at the same time I hint to contact a Splunk partner to analyze your requiremts and design your architecture, It isn't a good idea to start without any knowledge about Splunk architectures and features..

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...