LSI Learn Splunk India Splunk architecture

Architecture

How Splunk turns a log line into an answer.

Splunk has a small number of components that each do one job. Once you can name them and say what they do, the rest of the platform stops feeling mysterious. This guide follows a single event from the machine that produced it all the way to a number on a dashboard.

The journey

From event to search result

1. A machine writes a log A server records a login, a firewall records a blocked connection, an app records an error. This is raw data sitting on the source machine.
2. A forwarder ships it A lightweight forwarder installed on the source reads new log lines and sends them on. The universal forwarder is the common, low-overhead choice for this.
3. An indexer receives and indexes it The indexer parses the data, assigns a timestamp, breaks it into events, and writes it to an index so it can be searched quickly later.
4. A search head answers questions When you run a search, the search head asks the indexers for matching events and assembles the result. This is where SPL runs and dashboards are served.

Components in detail

What each part is responsible for

Forwarders

  • Universal forwarder: small, fast, just ships data.
  • Heavy forwarder: can parse and route before sending.
  • Most endpoints run the universal forwarder.

Indexers

  • Do the heavy lifting of parsing and storage.
  • Hold the indexes that searches run against.
  • Scale out by adding more indexers (indexer clustering).

Search heads

  • Where users log in, search, and build dashboards.
  • Coordinate searches across many indexers.
  • Can be clustered so a team shares saved knowledge.

Management components

  • Deployment server pushes config to forwarders.
  • Cluster managers keep clustered indexers in sync.
  • License and monitoring components watch the whole estate.

Scaling up

Single instance vs distributed

Single instance

  • One machine does forwarding, indexing, and searching.
  • Perfect for learning, labs, and small data volumes.
  • This is what most people install first.

Distributed deployment

  • Roles split across many machines for scale and resilience.
  • Indexer and search-head clusters handle large environments.
  • This is what production SOCs usually run.

Why it matters for you

What to actually learn first

You do not need to build a clustered deployment to be useful. Start by installing a single instance, forwarding some sample data into it, and writing searches against that data. Once you can explain the forwarder → indexer → search-head path out loud, you understand more of Splunk's architecture than most people who have used it for a year.

When you are ready to practise, the labs page has hands-on exercises, and the SIEM architecture guide shows how these components map onto the general SIEM pipeline.