Splunk architecture: Data flow, components and topologies

Safalta Expert Published by: Aryan Rana Updated Mon, 21 Nov 2022 11:35 PM IST


Almost every cutting-edge technology that is reshaping our world today is producing machine-generated log data, which has caused the demand for Splunk Certified workers to soar. Knowing how Splunk operates inside is crucial if you want to install it in your infrastructure.

Table of Content
Stages of the Data Pipeline

Data Entry Phase
Data Storage stage
Data gathering phase
Splunk Forwarder
Universal Forwarder
Large Forwarder
Indexer Splunk
Search Head for Splunk
Architecture Splunk

Almost every cutting-edge technology that is reshaping our world today is producing machine-generated log data, which has caused the demand for Splunk Certified workers to soar. Knowing how Splunk operates inside is crucial if you want to install it in your infrastructure. This blog post was created to explain the Splunk architecture and describe the relationships between the various Splunk components.

If you need additional clarification on what Splunk is, consult the Splunk Certification, which will explain to you why businesses with extensive infrastructure need it.

Let me first highlight the various stages of the data pipeline each Splunk component falls under before I discuss how they all work.

Download these FREE Ebooks:
1. Introduction to Digital Marketing
2. Website Planning and Creation

You can check other related blogs below:
1. Powerful SEO Techniques to rank in Google
2. How to get powerful SEO backlinks? Top 10 Tips to get Backlinks

3. Search Intent - All You Should know
4. What is page experience in Digital marketing?

5. SEO Vs PPC: Which is beneficial?
6. 7 Tips for combine Website Content to Improve SEO
7. 6 Reasons Email Marketing increase holiday sales
8. 6 SEO hacks to revive your Website

Stages of the Data Pipeline

In Splunk, there are essentially 3 stages:
  • Data Input stage
  • Data Storage stage
  • Data Searching stage

Data Entry Phase

The raw data stream from the source is consumed by Splunk software at this point, which then divides it into 64K blocks and annotates each block with metadata keys. Hostname, origin, and source data type are among the metadata keys. Additional values that are utilised internally, such as the character encoding of the data stream and values that regulate how data is processed during the indexing stage, such as the index into which the events should be stored, can also be included in the keys.

Data Storage stage

The two stages of data storage are parsing and indexing.

Free Demo Classes

Register here for Free Demo Classes

Please fill the name
Please enter only 10 digit mobile number
Please select course
Please fill the email
Something went wrong!
Download App & Start Learning
  • Splunk software evaluates, analyses, and changes the data during the parsing process to only keep the pertinent information. It's sometimes referred to as event processing. The Splunk programme separates the data stream into discrete events during this stage. Numerous sub-phases make up the parsing phase:
  • dividing a data stream into distinct lines
  • Establishing, identifying, and processing timestamps
  • adding metadata to individual events based on source-wide keys
  • event data and metadata transformation using regex transform rules
  • The Splunk programme adds parsed events to the index on the disc during the indexing phase. Both the relevant index file and the compressed raw data are written. The data can be quickly retrieved during searches thanks to indexing.

Data gathering phase

This phase regulates the user's access to, perception of, and usage of the indexed data. Splunk software maintains user-created knowledge objects, such as reports, event kinds, dashboards, alerts, and field extractions, as part of the search function. The search feature controls the search procedure as well.

Splunk Forwarder

You must use Splunk Forwarder as a component to collect the logs. With Splunk's remote forwarders, which are separate from the main Splunk instance, you could, for example, get logs from a distant machine.

The log data will be forwarded to a Splunk Indexer for processing and storing if you install several of these forwarders on different machines. What if you want to analyse the data in real-time? That is another usage for Splunk forwarders. The forwarders can be set up to instantly transfer data to Splunk indexers. They can be installed on numerous computers, allowing you to collect data in real-time simultaneously from various workstations.

Splunk Forwarder uses 1-2% of the CPU less than other conventional monitoring tools. With no impact on performance, you may expand them up to tens of thousands of distant systems and collect gigabytes of data.

Universal Forwarder

 If you want to transmit the unprocessed data gathered at the source, you can select a universal forwarder. It is a straightforward element that gives the incoming data streams very little processing before sending them to an indexer.

The major issue with practically every tool on the market is data transfer. Performance overheads are caused by the amount of unneeded data that is delivered to the indexer since there is so little processing done to the data before it is sent.

Why bother uploading all the data to the Indexers merely to filter out the pertinent information? Wouldn't it be better to send the Indexer only the pertinent data and thereby conserve bandwidth, time, and resources? This problem can be resolved by making use of heavy forwarders, as I will explain below.

Large Forwarder

Due to the fact that one level of data processing takes place at the source itself before data is forwarded to the indexer, using a heavy forwarder will solve half of your difficulties. In most cases, the Heavy Forwarder performs parsing and indexing at the source and intelligently sends the data to the Indexer to conserve bandwidth and storage space. Therefore, the indexer only has to handle the indexing segment when a heavy forwarder parses the data.

Indexer Splunk

You must use the indexer Splunk component to index and store the data arriving from the forwarder. For effective search operations, the Splunk instance converts incoming data into events and stores them in indexes. The indexer will parse the data if you are getting it from a Universal forwarder before indexing it. Data is parsed to remove irrelevant information. But the indexer will only index the data if you are receiving it from a heavy forwarder.

The Splunk instance generates a number of files as it indexes your data. These documents include one of the following:
  • data in its uncompressed state
  • index files (also known as tsidx files), which point to raw data, as well as certain metadata files

These files are found in buckets, which are collections of directories.

Now, allow me to explain how indexing functions.

Incoming data is processed by Splunk to allow quick search and analysis. It improves the data in a number of ways, including:
  • dividing the stream of data into distinct, searchable events
  • establishing or locating timestamps
  • obtaining information from fields like host, source, and source type
  • executing user-defined operations on the incoming data, including custom field detection, sensitive data masking, key writing, multi-line event breaking rules, undesirable event filtering, and event routing to predetermined indexes or servers.

Event processing is another name for this indexing procedure.

Data replication using Splunk Indexer is an additional advantage. Splunk maintains several copies of the indexed data, so you need not be concerned about data loss. Index replication or Indexer clustering are two names for this procedure. An indexer cluster, which is a collection of indexers set up to replicate each other's data, is used to do this.

Search Head for Splunk

The element that is utilised to communicate with Splunk is the search head. It offers customers a graphical user interface so they may carry out different actions. By entering search terms, you can search and query the data kept in the Indexer and receive the desired results.

The search head can be installed separately from other Splunk components or on the same server as other Splunk components. The Splunk server's Splunk web service must be enabled in order to enable the search head; there is no separate installation file required.

A Splunk instance has the ability to perform as both a search peer and a search head. Dedicated search heads are those that carry out only searches and don't index data. A search peer, on the other hand, handles indexing and answers to queries from other search heads.

A search head in a Splunk instance can submit search queries to a collection of indexers, or search peers, who then execute the searches on their own indexes. The results are then combined by the search head before being sent back to the user. Distributed searching is a method that searches data more quickly.

Architecture Splunk

You may readily relate to the Splunk architecture if you comprehend the ideas that were previously explained. To gain a clearer idea of the many parts of the process and how they perform, look at the graphic below.

By using automated data forwarding scripts, you can receive data from numerous network ports.
You may keep an eye on the files that are being received and immediately notice changes.
  • Before the data reaches the indexer, the forwarder has the ability to load and balance the data, copy the data, and intelligently route the data. Cloning is done to make multiple copies of an event at the data source, whereas load balancing is done so that the data can be sent to another instance that is hosting the indexer even if one instance fails.
  • The deployment server is used to manage the complete deployment, configurations, and policies, as I previously stated.
  • When this data is received, an indexer is used to store it. The indexer is then divided into various logical data stores, and at each data store, permissions can be configured to regulate what each user sees, accesses, and utilises.
  • When the data is in, you may search it and spread searches to other search peers. The results will then be consolidated and returned back to the search head.
  • In addition, you can plan searches and make alerts that will be sent out when specific criteria match saved searches.
  • When using Visualization dashboards to build reports and do analysis, you can use stored searches.
  • Finally, you can add knowledge objects to current unstructured data to improve it.
  • Either the Splunk Web Interface or the Splunk CLI can be used to access search heads and knowledge items. A REST API connection is used for this communication.


What elements make up the architecture?

The four fundamental components of architecture and design—Point, Line, Plane, and Volume—must be understood if you want to work as a building architect or designer. You may actually make any type of architecture or design using these four components.

What kind of data structure is used by Splunk?

Data is kept in flat file format by Splunk. Based on the amount and age of the data, Splunk stores all data in an index and in hot, warm, and cold buckets. Both clustered and non-clustered indexes are supported.

Free E Books