Splunk Architecture Components

A Splunk deployment consists of several key components that work together. Understanding these components is essential for any admin.

The Search Head is where users run searches and create dashboards. It sends search requests to Indexers and merges the results. The Indexer receives, parses, and stores data in indexes, and also handles search requests from Search Heads.

Forwarders are lightweight agents installed on data sources. They collect data and send it to Indexers. The Deployment Server manages configurations across many forwarders.