Table of Contents
Splunk Technology
Splunk Enterprise is a software platform to search, analyze, and visualize the machine-generated data (physical, virtual, cloud).
| Feature | Description |
| Indexing | Splunk indexes machine data. The maximum indexing volume depends on the Splunk Enterprise license. |
| Search | Search is the primary way for navigating data in Splunk. Search is used to retrieve events from an index, use statistical commands to calculate metrics and generate reports, identify patterns and predict future trends. Searches can be saved as reports and used to power dashboard panels. |
| Alerts | Alerts are triggered when conditions are met by search results for both historical and real-time searches. |
| Reports | Reports are saved searches. Reports can be added to dashboards as dashboard panels. |
| Dashboards | Dashboards are results of completed searches as well as data from back grounded real-time searches. |
Splunk Architecture
Phases – Splunk data life cycle
At the INDEXING Stage, Splunk takes parsed events and writes them to the search index on disk.
When Splunk indexes raw event data, it transforms the data into searchable events. Indexes reside in flat files on the Splunk instance known as the indexer.
Event processing occurs at the PARSING Stage.
Parsing can occur on either an indexer or a heavy forwarder.
At the INPUT Stage, Splunk acquires the raw data stream from its source, breaks it into 64K blocks, and annotates each block with metadata keys.
Data input can occur on either an indexer or a forwarder.
Components of Splunk
- Forwarder – Installed on the source of data: collects and forwards data to indexer – Two types: Universal (simple—most common) and heavy (for special recuirements).
- Indexer – Parses data received from forwarder(s) and stores it in one or more indexes – Executes searches and returns results – Add more indexers to increase both data input and search capacity – Can use index replication to provide high availability/disaster recovery.
- Search head – Provides Web Ul interacts with users, requests searches to indexers. and displays results – Manages knowledge objects: saved searches, alerts. dashboards, etc. – Add more search-i heads in a pool to scale and support more concurrent users.
Splunk Usage & Benefits
Splunk Users /Roles
Splunk users are assigned roles. Roles determine capabilities
Out of the box there are three roles:
- User
- Power
- Admin
Splunk administrators can create other roles.This class focuses on the Power role.
Architectural Components of Splunk
Indexer
Splunk indexers, or index servers, provide indexing capability for local and remote data and host the primary Splunk datastore, as well as Splunk Web
Forwarder
Forwarders are Splunk instances that forward data to remote indexers for indexing and storage.
Deployment Server
A deployment server distributes configuration information to running instances of Splunk via a
push mechanism which is enabled through configuration
Search Peers
A search peer is an indexer that services requests from search heads in a distributed search deployment.
Search Head
A search head is a Splunk instance configured to distribute searches to indexers, or search peers.
More about Splunk Components
All-in-one/single server
- Self-contained Splunk instance; gathers inputs, indexes, and acts as a search interface
- Typical of a test instance, staging, POC, demo, etc.
Indexer
- A Splunk instance that gathers and/or receives data from forwarders and writes them to disk
- Can operate alone or with other indexers load balanced, and can also act as search interface
- If not a search head, could have Splunk Web disabled
Search head
- Runs Splunk Web, generally does not index, and connects to indexers with distributed search
- Used in large implementations with high numbers of concurrent users/searches
Universal Forwarder (Light Forwarder)
- Splunk “agent” installed on non-Splunk system to gather data locally, can’t parse or index by design
- Smallest possible hardware footprint — designed to be installed on production systems
“Heavy” Forwarder
- Splunk instance that gathers data, parses it, and forwards it on to an indexer – no data written to disk
- Generally works as a remote collector, intermediate forwarder, and possible data filter
Deployment Server
- Splunk instance that acts as configuration manager for a Splunk install — can run on an indexer or search head or on a dedicated machine depending on size of installation
