Our blog

Splunk Architecture: Understanding The Components


Splunk is a distributed search architecture with over two decades of experience helping countless businesses drive the best operational insights and outcomes from their rich business data. It is also an information pipeline and data analytics tool that scales your ability to handle large volumes of enterprise data. 

A Splunk architecture is beneficial for enterprises that do not have proper access control mechanisms or the ability to work with geo-dispersed data from multiple sources. To successfully implement one, it is first essential to understand the individual components that comprise a Splunk architecture and how they work together to achieve the best outcomes. 

This article will cover the following:

This article is for you if you are currently implementing or have active plans to implement your own Splunk infrastructure. In this informative piece, we will explore the various stages of the Splunk data pipeline, its components, and an overview of how each component fits together perfectly to form a robust Splunk architecture. 

Read Also: To know more about what splunk is and why you need it check out our piece on the use-cases of Splunk. 

The Stages Of The Splunk Data Pipeline

A Splunk architecture typically follows three stages to acquire, process, analyze, and search the data. They are as follows.

Data Input Stage

This stage involves ingesting the raw data stream from the source, breaking it down into 64K blocks, and annotating every single block with metadata keys. These metadata keys will contain the source, hostname, source type, character encoding, and the index where the data should be stored. 

Data Storage Stage

The next step involves data storage, where Splunk parses and indexes the log data. Before it can do this, it must first break down the data line by line and identify time stamps. The goal is to create and annotate individual events with corresponding metadata keys. The Splunk software transforms the event data and metadata using operator-defined transformation rules.

Once parsing is complete, Splunk takes the parsed events and writes them onto the index on the storage disk to make the large volumes of your data quickly searchable.

Data Searching Stage

Once the data input, parsing, and indexing are completed, the next step is to control how the Splunk users query, view, and utilize it. To do so, Splunk stores user-generated knowledge objects, including event types, dashboards, reports, alerts, and field extractions.

Splunk Components

Let us look closer at the individual components that make up a Splunk architecture. 

1. Splunk Forwarder

An integral part of the Splunk Architecture is the Splunk Forwarder which acts as an individual agent that you can use to collect logs from a system. Considering that the forwarder occupies very little of the CPU resources in a host system (roughly 1 to 2 %), you can install numerous forwarders onto multiple systems without any notable effect on system performance. 

These forwarders will simultaneously collect data logs from their corresponding systems and forward them to the Splunk indexer for further processing, storage, and analysis. 

There are two types of Splunk Forwarders.

Universal Forwarder

A Universal forwarder acquires and forwards the raw data from the source to the Splunk indexer without performing any processing. 

Although it is a fast way to collect data that requires minimal resources to host, its downside is that it often forwards a large amount of unnecessary and unprocessed raw data, which may affect the Splunk indexer’s performance. 

Heavy Forwarder

Many feel that eliminating unnecessary data early before it is sent to the indexer is a more efficient approach. This way, only relevant data will be forwarded to the indexer, placing a reduced toll on their processing resources. It brings us to the second type of forwarder, the Heavy Forwarder. 

This forwarder parses and indexes the data at the source before it intelligently routes it to the Splunk indexer. The indexer saves considerable storage space and bandwidth by receiving a dramatically reduced volume of processed data from the Heavy Forwarder. 

2. Splunk Indexer

The next component of the Splunk data flow we will look at is the indexer. Its tasked with processing, storing, and indexing the data received from the Forwarders. 

However, note that processing only applies if you use a universal forwarder that transmits raw data containing relevant and irrelevant data. If the Splunk indexer used a heavy forwarder, only indexing is required at this stage. 

Once done, the indexer creates compressed raw data, raw data indexes (tsidx files), and metadata files and places them into separate directories or buckets. 

Splunk uses multiple indexers to duplicate and store each other’s data. This process, known as index clustering, ensures that Splunk maintains replicated instances of the index data as a precaution against data loss.

In summary, the indexer takes the raw data and makes it searchable by

  • Splitting the data stream into multiple individual and searchable events.
  • Identifying and adding timestamps to each event.
  • Extracting the source, source type, and host fields from the stream.
  • Filtering undesired events, Identifying custom fields, writing or modifying keys, masking sensitive data, addressing multi-line events by adding breaking rules, and other user-defined actions.

Once the indexer completes its task, the user can now search the data with the last crucial Splunk component, the search head. 

3. Splunk Search Head

The search head acts as the graphical UI, which allows users to interact with the Splunk architecture to search and query the specific data they require from the indexer. This is done by keying specific words corresponding to the desired data into the search head. 

The search head is a distributed search Splunk component that allows easy access control to large volumes of remote data. 

When the search query is typed in, the Splunk software sends the search requests to a network of indexers known as search peers. While search heads only perform search requests, the search peers conduct the search and perform indexing. The indexers match the search requests to the corresponding results and return them to the Splunk user. 

You can install the search head on multiple Splunk components within the same server or on separate servers by simply enabling the server’s Splunk web service. Such a group of coordinating search heads working together is called a search cluster. 

You can optimize your search loads by providing each search head within a cluster with the same information and different tasks to split the workload. In some cases, multiple search head clusters can also perform the same tasks with similar knowledge to significantly scale up the search.

Splunk Architecture Overview

Look at the image above to understand how the different Splunk components work together in a robust Splunk Architecture. Note that the Management Console Host is an integral Splunk component tasked with overseeing software updates, centrally managing and distributing configurations, and delivering content updates to search heads, indexers, and forwarders. 

If you observe, we have numerous remote forwarders that transmit the raw data to the indexers. As discussed earlier, depending on the type of forwarder, the indexer may receive processed or unprocessed data. 

Now, the indexer processes the data if necessary and is made available to the search head, where you can send requests to search, analyze, visualize, and create knowledge objects. Together they all work to make up a robust Splunk Architecture. 

In conclusion, now that you understand the inner workings of Splunk architecture, it may make your transition a lot easier. If you still remain unclear about setting up and implementing your own Splunk architecture, numerous service providers exist that can easily step in and help you build your Splunk infrastructure from the ground up. 
An excellent service provider should be able to implement your Splunk architecture around your existing systems and customize it to suit your unique individual business requirements. BitsIO is a professional service provider you could contact to quickly answer all your Splunk queries.