Splunk Deployment Topologies
Splunk Enterprise deployments are variants of distributed search. They differ mainly in how they split the three processing tiers, whether they cluster indexers, whether they cluster search heads, and which management components coordinate those systems.
[ Data Input ] forwarders
↓
[ Indexing ] independent indexers or indexer cluster
↓
[ Search Management ] independent search head or search head clusterCommon Topologies
| Topology | Shape | When it appears |
|---|---|---|
| Basic distributed search | One or more search heads over independent indexers | Small or simpler deployments |
| Indexer cluster | Search heads over clustered indexers with a manager node | Higher data availability and centralized indexer coordination |
| Search head cluster | Multiple search heads over independent indexers or an indexer cluster | Shared search-management capacity and higher availability |
| Combined indexer cluster and search head cluster | Search head cluster over indexer cluster | Larger deployments that need both clustered tiers |
All of these topologies still rely on forwarders for data input.
Scaling Model
The page describes three processing tiers:
- Data input through forwarders
- Indexing and storage through indexers
- Search management through search heads
Scaling usually means adding more components to a tier, then grouping indexers or search heads into clusters when management simplicity or high availability becomes important.
What You Might Inherit
- A deployment usually contains only a subset of all possible Splunk component types
- Production deployments typically place each Splunk Enterprise instance on its own machine
- Management components are often co-located with other components, especially in smaller environments
- You might still encounter search head pooling, but Splunk documents it as uncommon and deprecated in favor of search head clustering
Discovery View
The topology page is also a discovery playbook for inherited environments:
- Locate Splunk Enterprise and universal forwarder instances
- Identify which components each instance hosts
- Identify relationships between those components
If the deployment has a monitoring console, Splunk recommends using it to discover both components and relationships. Otherwise, inspect configuration files on each instance.
See Also
- splunk-processing-components — forwarders, indexers, and search heads
- splunk-management-components — monitoring, deployment, licensing, and cluster coordination roles