Splunk Components

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

6 hours 3 minutes
Video Transcription
Hello. Welcome back to the Splunk Enterprise Certified Administrator course. We're gonna get into a lesson 2.2 Now, where we're gonna discuss the different Splunk components
before we get started on this lesson, let's do a quick knowledge assessment to see if you were paying attention in the last video. So the question is, what are the three core functions of Splunk? If you need a second to pick an answer, feel free to pause here before we move to the next slide and answer.
So the answer was three ingestion storage and investigate.
Now the learning objectives for this lesson or gonna be toe list all the possible support components you might see understand the court functionality of each of those components and then categorize the components by the phase that they're associated with.
So why are we learning this? So we just learned about what Splunk is. Next module will be talking about architectures. So before we get into that information, it's very important that we know all of the individual components so that we know how they could be organized and made into a Splunk deployment.
And then also, as I mentioned previously, this is important because
we're gonna map this to the phases, which I've said before. We have seen a lot of problems where people don't understand which component performs which phase. And so this will really help to drive that point home. I'm hoping
so Here is a list of all of this Boeing components. You can see that there's nine of them that these icons that I used to come directly from splint actually provide a busy a template. So if you're interested in that, these it could be pretty useful if you're building a network diagram or anything like that,
so I'll include them in the resource is tab
in case you want him.
So let's start talking about the actual components. So first there's the universal forwarder, so this is actually ah Splunk install. ITT's different than your normal Splunk enterprise installation, so there's a universal order package. It's a very lightweight version
of Splunk that basically can just monitor and forward data. That's the key functionality of it.
So this is part of the ingestion phase, and it is the preferred ingestion option. Anywhere you can use a universal border to send out into Splunk. We want you to do that So
important to note that.
And then there's an intermediate forwarder, and so
this is really defined mawr by its placement in the data ingestion pipeline versus that device. It is because this could be a U universal border or a heavy foreigner as long as it's multiple forwarders being sent to this destination for ITER
before being sent to the indexers.
So its purpose is to aggregate data before forwarding into Splunk eso. A lot times where you'll see these is if you've got a bunch of subsidiaries that are all sending data to like a corporate Splunk instance, and you only want open the firewall for like, one device a lot times you'll put in like a universal foreigner
that aggregates the data from a bunch
and then just boards it through to the indexers. And then you only have to allow that firewall opening for the one device. That's where you see these pretty commonly,
and this is associate with being ingestion face but also possibly poor sing, because if it's a heavy forwarder, heavy forgers will do parsing, so it just depends on which device you choose to do it.
Now we have a heavy border, so this is a little different than a universal border in that it is a dedicated, full Splunk enterprise. Instance, it has been toe aggregate data on, and it also performs like a P I pools for
data ingestion there, certain spoiling caps that that's that allow you to configure those. And then it affords the data
to the indexing tear. So this is part of the in just and parsing face,
and the notes on this is it is a full Splunk install, as I mentioned, and it has a full installation of Python, and it also has a Web gooey, which is what allows you to install the APS to perform the A P I pools. And that is the most common usage of this
is specifically Teoh. Install the abstinent need to bring Dad and through an A p I
and have the heavy forward or to do that.
Then you have an indexer. And so what this does is it Forces organizes and stores the data that's been ingested by Splunk. It's primarily it's phases are parsing and indexing, although as I mentioned before, the heavy Ford ER happens first
than the heavy foretell will do the index or the parsing, and then the indexer will just do the indexing
notes about this is the indexer does most of the processing on the data, since it processes
both the most of the parsing, if that's if there's not having afforded before and then also, when searches are performed, theme indexer has to retrieve those events. So this is the powerhouse of Splunk and where most of your hardware investment will most likely be.
Then you have a search head. So this provides the user interface for users to interact with data. So it's only associate with the search phase, and it's the only device that is associated with search phase. And it's gonna be where most of your users go. It's gonna be probably the only device they really have access to and where they spend most their time.
Now we're gonna move into just management devices. These don't really fall into a phase. They're meant to, uh,
do some sort of management, so we'll explain individually as we dio. So, for example, the deployment server provides you a centralized configuration management tool for deployment clients, which is just a word that Splunk uses for your universal, intermediate and heavy foreigners.
Quick note on this one is that it is optional. If you have a configuration management tool that your court their environment already uses, you're more than welcome to leverage that this is just really included as
Then you have a license manager, which basically is just the central repository for your license and tracks your license usage issues. Any license warnings, if necessary.
All your devices that have a Splunk enterprise install wheel point to your license manager so that you don't have to install the license on each of them.
Uh, and also this device is pretty low utilization minus um, you know the network connections coming in. But even that's still pretty minimal.
Any of your monitoring console, which gives you health and
health monitoring and alerting for your entire Splunk enterprise deployment. So what's unique about this device is it's the only one that's gonna have all of the Splunk enterprise components as search piers, which is gonna let it see their internal logs and also have rest FBI access to each of the components.
So this is very, very valuable for
administrating and like overseeing the health of your environment.
Then you've a closer master which manages clustered indexers. It'll be configuration management and also track basically
the data that's stored on each indexer and make sure that the proper number of copies of that data is maintained. So these air Onley for indexer clustered environments and they are mandatory if you haven't indexer cluster
than a dip. Lawyer manages the configurations for your search head cluster.
It does not do any fix up activity the way that cluster master does. So it's a lower utilisation device,
but same principle applies. If you have a search cluster, this is 100% mandatory. If you don't, you'll never see this.
So now that we've gone through all of the different components here, I just build this illustration to show you where these devices fall in terms of the phase. So the bottom You start with ingest where oyer foreigners are, and they're bringing the data into Splunk and there, managed by the Deployment server as you see on the left.
And then once the dad has brought in, it'll be parsed by either heavy Florida or an indexer, whichever one its first
and then it's indexed by the indexers,
the indexers airmen monitored by
the cluster Master as illustrated on the left.
And then your search heads will be performing your search phase and their managed by the employer if there is a surgical.
So now that we've gone through all the slides, we've identified all nine Splunk components what the purpose of each component is and which phase that component lines up to. So that wraps up this lesson, and I look forward to seeing you in the next one.
Up Next