From Splunk Wiki
Single index server deployment models
You have many deployment options even when using a single Splunk index server. Let's see how you can use a single Splunk index server with different IT data inputs.
Splunk installed on existing aggregation host
In this deployment model, Splunk is installed on an existing aggregation host and indexes log data as it is written to disk by the local system's syslog receiver. These deployments are simple to execute, and you can easily increase their scope at a later point.
Splunk with direct network inputs
It's also simple to implement network-based data gathering with Splunk. Splunk supports multiple TCP and UDP inputs to enhance deployment flexibility.
Splunk installed on a host receiving batched IT data moves
Another way that you can deploy Splunk is with batched data moves. Remote systems copy log data after rotation intervals to a central location, where Splunk is indexing data.
Splunk indexing data on a remote mount / network storage
You can also index data on a network storage device or remote mount. Splunk indexes the data on the network storage device with all the flexibility of other configurations.
Splunk installed on all servers forwarding data
In this deployment, Splunk is installed on all systems in the topology. Deploying Splunk on a wide scale provides significant benefits to data access, change management and distribution capabilities. By installing Splunk on more systems, you can access local application logs, capture status information, monitor change on your systems, use enhanced data distribution features such as routing, cloning and balancing, and more.