Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk architect for indexers and searches

kml_uvce
Builder
‎03-29-2012 06:38 AM

Currently I am using splunk like this
one splunk server(machine) that having search head, indexes(in one splunk server more indexers)

i saw the doc http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview
I did not get in this doc, more search heads are in diffrent servers(more than one machine) and indexers are in diffrent servers (more than one machine) or all are in same server(machine) and also about the forwarders pushing data.

can anyone please explain me this architecture ? and also if you have any better architect then please let me know.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎03-29-2012 07:04 AM

These links will probably be helpful to you in understanding the basic Splunk architecture for a single server. Essentially you have the Search Head, Indexer, Forwarder all on the same server. We have the capabilities to distribute those components to multiple servers in order to scale our environment.

This explains the different components which you have all on one server.
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ComponentsofaSplunkdeployment

This explains a more logical representation of the inner functions of a Splunk server. Diagram towards the bottom of the page.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Installation/Splunksarchitectureandwhatgetsinstall...

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎03-29-2012 07:04 AM

These links will probably be helpful to you in understanding the basic Splunk architecture for a single server. Essentially you have the Search Head, Indexer, Forwarder all on the same server. We have the capabilities to distribute those components to multiple servers in order to scale our environment.

This explains the different components which you have all on one server.
http://docs.splunk.com/Documentation/Splunk/latest/Installation/ComponentsofaSplunkdeployment

This explains a more logical representation of the inner functions of a Splunk server. Diagram towards the bottom of the page.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Installation/Splunksarchitectureandwhatgetsinstall...

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎04-03-2012 10:22 AM

Not sure what you mean. You are able to have multiple indexers and search heads on multiple servers in order to scale your environment and improve performance for processing increased amounts of data. A typical indexer is good for about 100 GB of data per day, a typical search head running on an 8 core server will allow for 8 concurrent searches.

0 Karma
Reply
Solved! Jump to solution

kml_uvce
Builder
‎03-29-2012 03:40 PM

do you mean that we can also do diffrent search heads in diffrent servers and diffrent indexers in diffrent servers ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...