Splunk Processing Components
Splunk groups its primary runtime roles into processing components and management components. Processing components are the parts that ingest, store, search, and coordinate data flow through a deployment.
Component Types
| Component | Core job | Typical placement | Variants |
|---|---|---|---|
| Forwarder | Ingest raw data and forward it onward | Usually on application hosts such as web servers | Universal forwarder, heavy forwarder, light forwarder, intermediate forwarder |
| Indexer | Receive, index, store, and search data | Usually on dedicated machines | Independent indexer, clustered indexer / peer node |
| Search head | Handle user search requests, distribute searches to indexers, merge results, expose dashboards/tools | Usually on dedicated machines | Independent search head, search head cluster member, search head node in an indexer cluster, search head pool member |
Forwarders
Forwarders are the entry point for external data. The universal forwarder is the most common type. In more complex deployments, forwarders can send data through intermediate forwarders before it reaches indexers.
Key implications:
- Data input is distributed close to the source systems
- Forwarders are expected on non-Splunk application hosts
- Not every forwarder is a full Splunk Enterprise instance; the universal forwarder is a lightweight separate executable
Indexers
Indexers store the data and participate in search execution. In non-clustered deployments they are independent nodes. In clustered deployments they are peer nodes that replicate data among themselves for availability.
The topology page treats indexers as the middle processing tier:
- receive incoming data from forwarders
- index and store that data
- execute search work on local data when search heads dispatch requests
Search Heads
Search heads manage the search experience rather than storing the data themselves. They receive user requests, distribute search work to indexers, merge results, and provide operational and analytical interfaces such as dashboards.
The page notes one secondary behavior worth remembering: a search head can forward its own internal data to indexers, but that forwarding is not its primary role.
Operational Rules of Thumb
- A deployment usually contains only some of the possible component types
- An instance usually hosts at most one primary processing component
- A single machine can host multiple instances, but Splunk describes that as unusual outside test environments
See Also
- splunk-deployment-topologies — how processing tiers combine into full deployment patterns
- splunk-management-components — the supporting control-plane roles around these components