Module 2 Splunk Components

Indexer

Processes machine date, storing the results in indexes as events, enabling fast search and analysis

What tools can Search Heads provide to enhance the search experience?

Reports, Dashboards and visualizations, etc.

What is used to manage and distribute apps to the members of the Search Head Cluster

A Deployer

How many Search Heads are required in a Search Head Cluster?

A minimum of three

Splunk Deployment - Increasing Capacity

Adding a Search Head Cluster: -Services more users for increased search capacity -Allows users and searches to share resources -Handle search requests and distribute the requests across the set of indexers

Search Heads

Allows users to use the search language to search the indexed data. Distributes user search requests to the indexers Consolidates the results and extracts field value pairs from the events to the user

Additional Splunk Components

In addition to the three main splunk processing components, there are some less-common components including: Deployment Server, Cluster Master, License Master

What are the three main processing components that Splunk is comprised of?

Indexer, Search Head, and Forwarder

As an Indexer indexes data, how is the data stored?

Indexers create a number of files organized in sets of directories by age.

Splunk Deployment - Multi-instance

See Picture

Splunk Deployment - Stand Alone

Single Server includes all functions in a single instance of Splunk: Searching, Indexing, Parsing, Input

Forwarders

Splunk Enterprise instances that consume and send data to the index Primary way data is supplied for indexing Require minimal resources and have little impact on performance. Typically reside on the machines where the data originates.

Splunk Deployment - Basic

Splunk Server including Searching, Indexing, Parsing Forwarders collect data and send it to the Splunk server. Basic Deployment is typically for organizations that index less than 20GB per day.

Splunk Deployment - Index Cluster

Traditional Index Clusters: -Configured to replicate data -Prevent data loss -Promote availability -Manage multiple indexers Non-replicating Index Clusters: -Offer simplified management -Do not provide availability or data recovery