Databases Reference
In-Depth Information
• How many data centers do you need to monitor?
Dealing with servers in multiple locations introduces another level of
complexity, to which there is no single answer. See
Deploying the Splunk
binary
section for a few example deployments.
• How will you deploy the Splunk binary?
• How will you distribute configurations?
We will touch on these topics and more.
Splunk instance types
In a distributed deployment, different Splunk processes will serve different
purposes. There are four stages of processing that are generally spread across
two to four layers. The stages of processing include:
•
input
: This stage consumes raw data, from log files, ports, or scripts
•
parsing
: This stage splits raw data into events, parses time, sets base
metadata, runs transforms, and so on
•
indexing
: This stage stores the data and optimizes indexes
•
searching
: This stage runs queries and presents the results to the user
These different stages can all be accomplished in one process, but splitting them
across servers can improve performance as log volumes and search load increase.
Splunk forwarders
Each machine that contains the log files generally runs a Splunk forwarder process.
The job of this process is to read logs on that machine or to run scripted inputs.
This installation is either:
• A full installation of Splunk, configured to forward data instead of
indexing it
•
Splunk Universal Forwarder
, which is essentially Splunk with everything
needed for indexing or searching removed
Search WWH ::
Custom Search