Community:Components of A Splunk deployment

From Splunk Wiki

Jump to: navigation, search

< Back to the Best Practices area

Components of a Splunk deployment

Splunk is simple to deploy by design. By using a single software component and easy to understand configurations, Splunk can coexist with existing infrastructure or be deployed as a universal platform for accessing IT data.

Splunk can start up and run in several different modes, each of which can serve as a component to meet your deployment requirements. This section covers these potential components:



In this mode, indexers, or index servers, provide indexing capability for local and remote data and host the primary Splunk datastore, as well as Splunk Web. Refer to "How indexing works" in the Admin Manual for more information.

Search head

In this mode, a Splunk instance is configured to direct user search requests to one or more indexers. Use "distributed search" to configure a search head to search across a pool of indexers.



Forwarders use the same Splunk software package but do not store indexed data locally. All indexed data is forwarded to remote index servers. To reduce operational footprint, Splunk Web is not used. Refer to the documentation on setting up a Splunk instance as a forwarder.

Deployment server


Both indexers and forwarders can also act as deployment servers. A deployment server distributes configuration information to running instances of Splunk via a push mechanism which is enabled through configuration. Refer to the documentation on setting up a Splunk instance as a deployment server.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk