One of the first and most important things you need to learn about Splunk in order to work with it effectively is what the functional components are and how they work together. Here is a list:
- Universal forwarder
- Indexer and indexer clusters
- Search head and search head clusters
- Deployment server
- Cluster master
- License master
- Heavy forwarder
Universal forwarders, indexers, and search heads constitute the majority of Splunk functionality; the other components provide supporting roles for larger clustered/distributed environments. We'll summarize each of these here and dig into more details in chapters to come.
In very small installations, you can install Splunk Enterprise on a single server, which will provide all ...