Splunk Components Architecture

What is Splunk?

Splunk is a Operation intelligence tool, Which

capable to read all type of Machine data and it can be analyzed.

What is meant by ( OIT):

It is machine generated data one of the fast
growing and complex area of big data.

One of the most valuable contain records of

all user transaction ,Customer behaviors , Machine behaviors ,
Security Threat, Fraudulent activity.
Splunk Components
• License Master

• Indexer

• Search head

• Deployment Server

• Cluster Master

• Forwarders

• Load Balancer

3
Indexer:

Indexer is the Location where the indexed data will be stored.

For example: Whatever the logs Forward from

Forwarder and those logs will be stored in the
indexer.

Search head:
Search head is a Splunk instance and it is a web interface
which is used to view the indexed
logs.
Cluster Master
Cluster Master is the Component which is used to replicate
whether the replication is happening between both indexer or
not.
License Master
It is the components which manager the License of the Splunk
enterpriser.

Deployment Master
It is the Server which manager the configuration on the client, Here
we can create app or rule that we used to pull the data from client.
Forwarder
Three types: Universal, Heavy and Stream forwarders.

Universal forwarder : The sole purpose of the universal forwarder is to

forward data.

Heavy forwarder : While the universal forwarder is the preferred way to

forward data, you might need to use heavy forwarders if you need to analyze
or make changes to the data before you forward it, or you need to control
where the data goes based on its contents.

Stream forwarder : Independent Stream forwarder deployment is useful, for

example, if you want to capture network data from a Linux host that you are
monitoring as part of a network service in a Splunk IT Service Intelligence
(ITSI) deployment.
Load Balancer

Forwarders perform automatic load balancing. The forwarder routes data to

different indexers on a specified time or volume interval that you can specify.

For example, if you have a load-balanced group that consists of indexer A, B,

and C, at a specified interval, the forwarder switches the data stream to
another indexer in the group at random.

The forwarder might switch from indexer B to indexer A to indexer C, and so

on. If one indexer is down, the forwarder immediately switches to another.
Splunk architecture of Astrazeneca:

8
Components distribution count

Splunk Components EMEA AMER SG

License Master 1 Nil Nil
4(2 for Shanghoi and 2 for
Indexer
23 14 Singapore)
Search Head - SOC 1 2 1
Search Head - Common 2 2 2
Search Head - Deployer 1 1 Nil
Deployment Server 1 1 1
CLuster Master 1 1 1
Load Balancer 1 1 1
Heavy Forwarder 2 2 2

9
Port Numbers:

• 8000 - Web port (search head)

• 8089 - Management port (internal port to component each other)

• 9997 - Forwarder to indexer (For indexing port)

• 8080 – Index replication port.

• 514 – Splunk network port(system log)

• 8090 – Agent to deployment server

10
 THANK YOU ! ! !

Confidentiality Notice
Co nfide ntiality No tic e
This file is private and may contain confidential
confidential and
and proprietary
proprietary information.
information. IfIf you
youhave
havereceived
receivedthis
thisfile
fileininerror,
error,please
pleasenotify
notifyus
usand
andremove
remove
it from your system and note that you must not not copy,
copy, distribute or take any
any action
action in in reliance
reliance on
on it.
it. Any
Any unauthorized
unauthorized use use or
or disclosure
disclosureof
ofthe
the
contents of this file is not permitted and
and may
may be
be unlawful.
unlawful. AstraZeneca
AstraZeneca PLC,
PLC, 11 Francis
Francis Crick
Crick Avenue,
Avenue, Cambridge
Cambridge Biomedical
Biomedical Campus,
Campus,
Cambridge, CB2 0AA, UK, T: T: +44(0)203
+44(0)203 749 5000, www.astrazeneca.com

11
10