Distributed versus clustered Splunk environments

It may also be helpful to define the difference between distributed and clustered Splunk deployments before we go further.

In a non-distributed, non-clustered environment, you will have Splunk Enterprise installed on a single server instance—this single machine handles all of the indexing of data and searches of that data (as well as all the other Splunk functions). 

A distributed environment describes the separation of indexing and searching logic in Splunk. In the simplest example of a distributed environment, the indexing and search functions are divided across at least two machines—an indexer on one server that receives and indexes data, and a search head on a separate server that communicates with the indexer to service search requests – two instances, each performing a different function.

In a clustered environment, you would combine multiple indexers and/or search heads into an indexing/search head cluster for high availability (in case a server goes down) and data redundancy (storing more than one copy of the data across the indexing cluster). If you want to provide even better disaster recovery, you can build a multisite cluster wherein you have two indexing and/or search head clusters at different physical locations, or sites in Splunk terminology.

So, a distributed Splunk deployment does not necessarily indicate a clustered one, but a clustered deployment does infer a distributed one, since there are multiple instances (clusters) of indexers and/or search heads that perform separate functions.

If you implement a distributed and clustered environment, you will also need to implement a license master to provide licensing services to all of the separate Splunk components. If you implement a clustered indexing tier, you will need a cluster master to distribute configuration files that affect parsing and indexing operations across the indexing tier. In a similar fashion, if you implement a search head cluster, you will want to provide a deployer that manages the distribution of applications and configuration files across the search cluster. Finally, you will also want to use a deployment server to manage and distribute data input configuration files to all the universal forwarders. We will cover the specifics of all these components in later sections of this chapter.

For the examples of implementing and administering Splunk in this book, we are going to assume that we have a distributed environment that employs an indexing cluster and search head cluster, as this is the most common configuration in use at most companies.