11/13/24, 6:53 PM Splunk Components - hetpatel4387@gmail.

com - Gmail

System Requirements - Splunk Enterprise Can be run on Windows Server OR Linux

Search Head:
- Can be one or more(Cluster)
- End user access are typically provided at search head
- You can have search head or search head clusters per datacenter/region.
- You can also have Global search heads on top of regional search heads.
- You can also have search heads pointing to subset of indexers

Enterprise Security + Search Head

- Can be one or more(Cluster)
- Enterprise security is a splunk App

Indexer
- One or more Cluster
- Index and store data
- Indexers serves data to Search Heads

Deployment Manager
- Single Instance NOT sure if you can have deployment server cluster
- Use to deploy Splunk App
- Used to centrally managed and configure Splunk Components
- It's not required but at SAP deployment servers are divided in two categories where one of them is
used strictly to manage SPlunk Enterprise and other to manage Client/Lines of Business Universal
Forwarders and Intermediate Forwarders

Splunk Monitoring Console

- Single Instance
- Only used to collect log and metrics for Splunk Enterprise Infra
License Manager
- Can support multiple License manager Primary/Secondary
- You can have one license manager that supports multiple Splunk Ent deployments

Cluster Master/Manager
- Single Instance NOT SURE if can be deployed as cluster
- Managers Search Head and Index Clusters
- I think it's also used to create indexes

Heavy Forwarder
- Usually deployed as standalone and not in cluster mode
- Can have more than one Heavy Forwarder and decision to deploy additional forwarder is based on log
ingestion load

HTTP Event Collector

- Usually deployed as standalone and not in cluster mode
- Can have more than one and decision to deploy additional HTTP Event Collector is based on log
ingestion load
- Received logs over HTTP streams
- Also referred as HEC

Intermediate Forwarder - Single Instance

- Usually deployed on Client network/data center for devices that can not send encrypted logs over
wire
- Intermediate forwarder usually forwards logs to another Heavy Forwarders OR HEC
- Usually deployed as standalone and not in cluster mode
- Can have more than one Intermediate Forwarder and decision to deploy additional Intermediate
Forwarder is based on log ingestion load

Universal Forwarder
- Usually installed on server/client end points
- Available for wide range of OS
- Do not required license to use
- Can be centrally managed by Deployment Server
- Maintains pointers in the event if Splunk Ent infa is not available for log ingestion

https://mail.google.com/mail/u/0/#inbox/FMfcgzQXKDfQRtTfklbcqgCRzhDkCdGh 1/1