Components

Components

Here are descriptions of the various components of Splunk's architecture. This page focuses on the most useful aspects of Splunk's architecture for developing against the Splunk platform.

Processes

A Splunk server runs two processes running on your host, splunkd and splunkweb:

• splunkd is a distributed C/C++ server that accesses, processes and indexes streaming IT data. It also handles search requests. splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.
  • Pipelines are single threads inside the splunkd process, each configured with a single snippet of XML.
  • Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues. splunkd supports a command line interface for searching and viewing results.
• splunkweb is a Python-based application server providing the Splunk Web user interface. It allows users to search and navigate IT data stored by Splunk servers and to manage your Splunk deployment through a web interface.

splunkweb and splunkd can both communicate with your web browser via REST:

• splunkd also runs a webserver on port 8089 with SSL/HTTPS turned on by default.
• splunkweb runs a web server on port 8000 without SSL/HTTPS by default.

Configuration files

Most of Splunk's advance configurations are affected via configuration files.

Important files for developers include:

• authorize.conf: Use this file to create capabilities for scripts.
• restmap.conf: Use this file to create and configure new rest endpoints.
• server.conf: Use this file to configure the HTTP server and applications management settings.
• web.conf: Settings for the Splunk Web HTTP server.
• app.conf: Create dynamic user entry fields for your custom application.
• streams.conf: Configure settings for streams

A complete list of configuration files is located here.