Splunk Components | universal forwarder | Heavy forwarder

Splunk Talks
31 Aug 202008:45

Summary

TLDRThis video introduces key components of Splunk, focusing on the Universal Forwarder and Enterprise software packages. It explains the roles of Heavy Forwarder, Indexer, Search Head, and Deployment Server, highlighting the importance of event parsing and filtering to optimize data indexing. The script also covers the architecture of a Splunk deployment, including the functions of the Cluster Master and License Master, and the significance of the Deployment Server in managing configurations across the system.

Takeaways

  • 📚 The video introduces Splunk components and its two main software packages: Splunk Universal Forwarder and Splunk Enterprise.
  • 🔄 Splunk Enterprise can perform various roles including Heavy Forwarder, Indexer, Search Head, Deployment Server, Cluster Master, and License Master.
  • 🌐 Splunk Universal Forwarder (UF) is a separate, free software package that collects events from servers or endpoints without requiring a license.
  • 🔍 UF is used for scenarios like monitoring continuously updated files or NTP service synchronization and can be managed by a Deployment Server.
  • 🚫 UF cannot parse events, which involves breaking data into blocks, identifying timestamps, and adding meta fields like source and host.
  • 🔑 Heavy Forwarder (HF) is a role of Splunk Enterprise that can parse events and apply filters to remove unwanted data, thus saving on Splunk licensing costs.
  • 📈 The need for HF is recommended in larger deployments to offload the indexer's workload and improve performance.
  • 🗂️ Splunk Indexer stores, indexes, and serves event data to the Search Head, which is crucial for handling search queries and generating reports.
  • 🔑 Splunk Cluster Master manages the indexer cluster, including data replication and adjusting cluster buckets in case of peer node failure.
  • 🔍 The Search Head is the interface for non-admin users to interact with Splunk, allowing them to run queries, generate reports, and create knowledge objects.
  • 🛠️ Splunk Deployment Server acts as a centralized configuration manager, deploying updates to other instances and managing deployment clients.
  • 🏢 Server Classes in Splunk are combinations of Deployment Clients and Deployment Apps, allowing for targeted configuration updates.
  • 🛡️ Splunk License Master controls access to licenses for one or more license slaves, managing licensing volume and defining stacks and pools.

Q & A

  • What are the two main Splunk software packages mentioned in the video?

    -The two main Splunk software packages mentioned are Splunk Universal Forwarder and Splunk Enterprise.

  • What is Splunk Universal Forwarder (UF) and what is its purpose?

    -Splunk Universal Forwarder (UF) is a separate software package used for collecting events from servers or endpoints. It is free to download and does not require a license.

  • Can Splunk UF parse events?

    -No, Splunk UF is not capable of parsing events. Event parsing, which includes breaking data into blocks, identifying timestamps, and adding meta fields, is a capability of the Heavy Forwarder or Indexer.

  • What is the role of the Heavy Forwarder (HF) in Splunk Enterprise?

    -The Heavy Forwarder (HF) is an optional component of Splunk Enterprise that can parse and filter events, offloading some of the workload from the indexer and potentially saving on Splunk license costs.

  • How does the Deployment Server in Splunk Enterprise manage configurations?

    -The Deployment Server in Splunk Enterprise acts as a centralized configuration manager, deploying configuration updates to other instances, including Universal Forwarders and Heavy Forwarders.

  • What is an indexer in the context of Splunk Enterprise?

    -An indexer in Splunk Enterprise is responsible for storing, indexing, and serving the events to the search head. It is also referred to as a search peer if it is part of an indexer or cluster.

  • What is the function of the Cluster Master in a Splunk Enterprise setup?

    -The Cluster Master in Splunk Enterprise manages the indexer cluster, instructing where to stream replica data and adjusting cluster buckets. It also coordinates search head requests to the appropriate indexers.

  • What is the role of the Search Head in Splunk Enterprise?

    -The Search Head in Splunk Enterprise is the component that users interact with to run queries, generate reports, searches, dashboards, and create knowledge objects such as field aliases, calculated fields, lookups, event types, and tags.

  • What is the purpose of the Search Head Deployer in Splunk Enterprise?

    -The Search Head Deployer in Splunk Enterprise is used to deploy apps to the search head members of a cluster. It is recommended to use the Search Head Deployer instead of installing apps directly on search members.

  • What is a Deployment App and how does it relate to Server Classes in Splunk Enterprise?

    -A Deployment App is a unit of content deployed to the members of one or more server classes. A server class is a combination of deployment clients and deployment apps, allowing for the centralized management of configurations across similar systems.

  • What is the License Master role in Splunk Enterprise and how does it interact with License Slaves?

    -The License Master in Splunk Enterprise controls one or more License Slaves, providing them access to Splunk Enterprise licenses and managing the licensing volume. It allows for the definition of stacks, pools, and management of license slaves.

Outlines

00:00

🔍 Introduction to Splunk Components

This paragraph introduces the main components of Splunk, focusing on two primary software packages: Splunk Universal Forwarder and Splunk Enterprise. It explains the roles of Splunk Enterprise, such as Heavy Forwarder, Indexer, Search Head, Deployment Server, Cluster Master, and License Master. The paragraph also details the function of the Universal Forwarder (UF), its installation on servers or endpoints for event collection, and its limitations, such as the inability to parse events or apply filters. The role of the Heavy Forwarder in offloading indexer workload and its management by the Deployment Server is also highlighted.

05:03

🛠 Deep Dive into Splunk Enterprise Roles and Deployment

This paragraph delves deeper into the roles within the Splunk Enterprise package, including the Indexer, Search Head, Cluster Master, Search Head Deployer, Deployment Server, and License Master. It describes the indexer's role in storing and serving event data, the search head's function in displaying events and generating reports, and the Cluster Master's responsibility in managing the indexer cluster and data replication. The paragraph also explains the Search Head Deployer's role in deploying apps to search head members and the Deployment Server's function as a centralized configuration manager. Lastly, it discusses the License Master's role in controlling license slaves and managing licensing volumes.

Mindmap

Keywords

💡Splunk

Splunk is a suite of software used for searching, monitoring, and analyzing machine-generated big data, via a web-style interface. In the video's context, it is the central theme, as all discussed components and roles are part of the Splunk ecosystem.

💡Splunk Universal Forwarder (UF)

The Splunk Universal Forwarder is a lightweight software package that collects data from various servers or endpoints. It's an essential component in the Splunk architecture for gathering events, as mentioned in the script with examples of monitoring file updates and NTP service synchronization.

💡Event Parsing

Event parsing is the process of breaking down a data stream into individual events, typically lines of data, and adding metadata such as timestamps and source types. It's a crucial step for Splunk to index data correctly, as highlighted in the script when discussing the capabilities of the Universal Forwarder and Heavy Forwarder.

💡Heavy Forwarder

The Heavy Forwarder is a role that can be configured within the Splunk Enterprise package. It is more capable than the Universal Forwarder, with the ability to parse events and apply filters to remove unwanted data, thus saving on indexing resources and license usage, as explained in the script.

💡Deployment Server

The Deployment Server in Splunk is responsible for managing configurations and deploying applications to other Splunk instances, such as Universal Forwarders and Heavy Forwarders. It's a centralized configuration manager that streamlines the deployment process, as described in the script.

💡Indexer

An Indexer is a role within the Splunk Enterprise package that is responsible for storing, indexing, and serving search requests for data. It's a key component in the architecture, especially when discussing the performance implications of not having a Heavy Forwarder, as mentioned in the script.

💡Search Head

The Search Head is a role in Splunk that non-admin users interact with to run queries, generate reports, searches, dashboards, and manage knowledge objects. It's the interface through which users retrieve and analyze data stored in the Indexers, as explained in the script.

💡Cluster Master

The Cluster Master is a role that manages an indexer cluster in Splunk, ensuring data replication and load balancing. It directs the Search Head to the correct Indexers for data retrieval, as depicted in the script's discussion on Splunk architecture.

💡Search Head Deployer

The Search Head Deployer is responsible for deploying apps to the members of a Search Head cluster. Unlike standalone Search Heads, apps are not installed directly on Search Head cluster members, which is a point emphasized in the script.

💡Deployment App

A Deployment App in Splunk is a unit of content that is deployed to the members of one or more server classes. It's part of the deployment mechanism managed by the Deployment Server, as detailed in the script.

💡Server Class

A Server Class in Splunk is a combination of Deployment Clients and a Deployment App. It's used to categorize and manage similar configurations across different instances, as illustrated in the script with the example of deploying a TA to Windows servers.

💡License Master

The License Master is a role within the Splunk Enterprise package that controls access to Splunk licenses for one or more License Slaves. It manages licensing volume and can define stacks and pools for efficient license usage, as explained in the script.

Highlights

Introduction to Splunk components and two main software packages: Splunk Universal Forwarder and Splunk Enterprise.

Explanation of Splunk Universal Forwarder (UF) as a free, downloadable software for collecting events from servers or endpoints.

Examples of Universal Forwarder usage, including monitoring file updates and NTP service synchronization.

Description of how the Universal Forwarder can be managed by a Deployment Server.

Clarification that UF cannot parse events but Heavy Forwarder can, with an explanation of event parsing.

Details on Heavy Forwarder's ability to apply filters to remove unwanted events, saving on Splunk license usage.

Introduction to Splunk Enterprise's Heavy Forwarder role and its optional nature in small deployments.

Overview of Splunk Indexer's role in storing, indexing events, and serving search head requests.

Discussion on the importance of Heavy Forwarder in offloading indexer workload to maintain performance.

Architecture diagram explanation featuring Cluster Master, Search Head, Indexers, and Forwarders in a Splunk setup.

Function of Splunk Search Head in displaying events and generating reports, searches, dashboards.

Role of Splunk Cluster Master in managing the indexer cluster and data replication.

Description of how Search Head interacts with Cluster Master to fulfill user search requests.

Introduction to Splunk Search Head Deployer for deploying apps to search head members in a cluster.

Explanation of Splunk Deployment Server as a centralized configuration manager.

Definition of Deployment Client, Deployment App, and Server Class in the context of Splunk configurations.

Role of Splunk License Master in controlling license slaves and managing licensing volume.

Conclusion and call to action for likes, shares, and subscriptions for more educational content.

Transcripts

play00:00

hello everyone my name is balaji in this video you will learn splunk components

play00:05

let's look at two main splunk software packages which are used mainly in splunk

play00:09

deployment first one is splunk universal forwarder

play00:13

second one is splunk enterprise splunk enterprise software package can

play00:17

be set up to perform any of the roles which i'll explain here

play00:21

heavy forwarder indexer search head deployment server

play00:27

cluster master license master deployer before understanding splunk enterprise

play00:32

different roles first let's understand what is splunk universal forwarder

play00:36

splunk universal forwarder in short we call it as splunk uf

play00:40

splunk uf is a separate software package it is free to download

play00:44

license is not required

play00:47

we install splunk universal forwarder on servers or endpoints from where we want

play00:51

to collect events let's understand few examples of

play00:55

universal forwarder usage first example is you have a file which

play01:01

is continuously getting updated with new events

play01:04

you want to collect events as soon as the file is updated with new events

play01:09

another example is you want to monitor ntp service

play01:13

to check whether the server is syncing with your company ntp server or not

play01:17

you can write a script add it to an application the application can be

play01:20

deployed to universal forwarder installed on the server uf can be

play01:24

managed by deployment server i'll explain what is deployment

play01:29

server in this video later as i mentioned earlier application can

play01:33

be deployed to universal forwarder the application deployment is possible

play01:36

by deployment server UF cannot parse events let's

play01:43

understand what is event parsing while uf reads the data stream from its

play01:48

source breaks into 64k blocks breaking the stream of data

play01:53

into individual lines is one of the feature of even parsing

play01:57

identifying timestamp of each event happens at the time of parsing only

play02:01

timestamp is crucial for each event in splunk because events are indexed with

play02:05

their timestamps adding meta fields source source type

play02:09

and host to each event happens at the time of event passing only

play02:14

uf is not capable of parsing events but heavy forward is capable

play02:18

uf cannot apply filters to remove unwanted events for example

play02:22

you have a file to read events from you don't want to index certain events

play02:26

based on some keyword criteria this is not possible with uf

play02:30

having said that it can apply filters on windows events

play02:33

splunk heavy power is one of the roles of splunk enterprise package

play02:37

to have heavy forwarder in your deployment you should download splunk

play02:40

enterprise only and then configure splunk enterprise to

play02:43

act as heavy forwarder

play02:47

splunk hf is an optional component because hf role can be added to an

play02:51

indexer if splunk deployment is very small where

play02:54

not much data is indexed per day

play02:58

but am as a splunk consultant i recommend heavy forwarders to offload

play03:01

indexes workload hf can be managed by deployment server

play03:06

updating or creating new configurations or

play03:09

applications on heavy forwarder can be done by deployment server

play03:14

hf can parse events i have already discussed what is event parsing

play03:18

event parsing can be done by heavy forwarder or indexer if there is no hf

play03:24

hf can apply filters to remove unwanted events this will save splunk license

play03:29

filtering of events cannot be done by universal forwarder but hf can do the

play03:33

job this will save splunk license splunk

play03:36

license works based on how much volume of data we are indexing per day

play03:41

splunk indexer is another role of splunk enterprise package

play03:44

this is example splunk architecture diagram where the architecture is set up

play03:48

with cluster master search head three indexers two

play03:51

forwarders peer nodes highlighted in red color box

play03:55

are nothing but indexers

play03:59

splunk indexer is mainly used to store events indexes them

play04:03

and serve requests of splunk search head if no hf parsing and filtering of events

play04:09

will be done by indexer this is the main reason i have mentioned

play04:13

splunk heavy power is an optional but having no hf will

play04:16

overload indexer and reduce performance of splunk search

play04:19

if it is not properly sized its cpu and memory

play04:22

indexers are also called search peers if they are part of indexer or cluster

play04:27

you can see in the diagram indexers are called peer nodes because they are

play04:30

participating in indexer cluster

play04:34

indexers are managed by cluster master node if they are an indexer or cluster

play04:38

you can see red color double sided arrow connecting master node and each peer

play04:42

node in the right side diagram splunk search

play04:45

head is another role of splunk enterprise package

play04:49

splunk users who are not splunk admins mainly interacts with splunk search

play04:55

splunk search head shows events that are stored in indexer when

play04:59

user runs query

play05:03

splunk search head is used to generate reports searches

play05:06

dashboards and also to create field aliases calculated fields

play05:10

lookups event types and tags in splunk terms we call reports searches

play05:17

dashboards fields lookups event types tags knowledge objects

play05:25

splunk cluster master is another role of splunk enterprise package

play05:29

splunk cluster master manages indexer cluster

play05:32

you can see there are three indexers and replication factor is set to 3

play05:36

which means when forwarder starts sending data to indexer

play05:40

the data should be replicated in 3 indexers let's say there are 10 indexers

play05:45

and indexer which is receiving data doesn't know that to which indexer

play05:48

replication copy of data should go instruction will be given to indexer by

play05:53

cluster master where to stream replica in case of peer

play05:57

node failure adjusting cluster buckets will also be

play06:00

done by cluster master when user types something in search of

play06:03

search head and hit search button search head will first contact cluster

play06:07

master to understand where the data exactly resides

play06:10

cluster master will instruct search head for example

play06:14

the data you are looking for is available in indexer 3

play06:17

and 4 then search head will contact indexer 3 and 4

play06:21

to fulfill user search request

play06:25

creating new index applying props or transforms

play06:28

will be done on cluster master and then they will be deployed to peer nodes

play06:34

unlike indexers master node doesn't index data

play06:38

only one master node for one index or cluster

play06:42

splunk search head deployer is another role of splunk enterprise package

play06:46

search head deployer is used to deploy apps to search head members of such a cluster

play06:50

unlike we install apps on standalone search head directly

play06:53

it's not recommended to install apps directly on search members

play06:57

in search head cluster

play07:01

splunk deployment server is another role of splunk enterprise package

play07:05

you can see here in the picture single deployment server below

play07:09

and then server class and deployment clients

play07:13

a splunk enterprise instance that acts as centralized configuration manager

play07:17

it deploys configuration updates to other instances

play07:20

also refers to the overall configuration update facility

play07:24

compromising deployment server clients and apps

play07:27

what is deployment client a remotely configured splunk universal forwarder

play07:31

or enterprise instance it receives updates from the deployment server

play07:35

what is deployment app a unit of content deployed to the members of one or more

play07:41

server classes what is server class server class is

play07:46

nothing but combination of deployment client and deployment app for

play07:50

example you have windows ta which contains

play07:53

inputs to collect windows event logs and you want to deploy this ta to all

play07:57

windows servers the new server class will combine ta which is basically

play08:01

deployment app and windows servers which are basically deployment clients

play08:05

the deployment client can belong to multiple server classes

play08:09

splunk license master is another role of splunk enterprise package

play08:15

license master controls one or more license slaves

play08:18

what is license slave the license master provides

play08:23

its slaves access to splunk entropage licenses and

play08:26

in the case of indexers associated licensing volume

play08:30

from the license master we can define stacks pools

play08:33

on licensing capacity and manage license slaves

play08:38

thanks for watching please like share and subscribe for more videos

تصفح المزيد من مقاطع الفيديو ذات الصلة

¿QUE ES KUBERNETES? - Introducción al orquestador más usado

7.Data Center architecture , Physical Connectivity and Deployment topology

10 Architecture Patterns Used In Enterprise Software Development Today

Introduction to Servlets

Laravel deployment with GitHub Actions

Azure Service Fabric - Tutorial 17 - Data Packages, Config and Environment Variables

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
الوسوم ذات الصلة
Splunk ComponentsData CollectionEvent ParsingUniversal ForwarderHeavy ForwarderIndexer RoleSearch HeadDeployment ServerCluster MasterLicensing ManagementSplunk Consultant
هل تحتاج إلى تلخيص باللغة الإنجليزية؟