Splunk's architecture and what gets installed
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Contents
Splunk's architecture and what gets installed
This topic discusses Splunk's internal architecture and processes at a high level. If you're looking for information about third-party components used in Splunk, refer to the credits section in the Release notes.
Processes
A Splunk server runs two processes on your host, splunkd and splunkweb:
-
splunkdis a distributed C/C++ server that accesses, processes and indexes streaming IT data. It also handles search requests.splunkdprocesses and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.- Pipelines are single threads inside the
splunkdprocess, each configured with a single snippet of XML. - Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues.
splunkdsupports a command line interface for searching and viewing results.
- Pipelines are single threads inside the
-
splunkwebis a Python-based application server based on cherry.py that provides the Splunk Web user interface. It allows users to search and navigate IT data stored by Splunk servers and to manage your Splunk deployment through a Web interface.
splunkweb and splunkd can both communicate with your Web browser via REST:
-
splunkdalso runs a Web server on port 8089 with SSL/HTTPS turned on by default. -
splunkwebruns a Web server on port 8000 without SSL/HTTPS by default.
Architecture diagram
