• Overview
  • Overview
  • Splunk Architecture
• REST API
  • Splunk's REST API
    • Using REST Methods
    • Splunk REST endpoint mappings
    • HTTP ports Splunk uses
    • What you need to know about searching with Splunk
    • Other important topics
  • Authentication methods
    • HTTP Header
    • HTTP digest
    • Old school
  • Login
    • /services/auth/login
  • Legacy methods
    • /services/invokeapi/legacy_method_name
  • Properties
    • /services/properties
    • /services/properties/file_name
    • /services/properties/file_name/stanza_name
    • /services/properties/file_name/stanza_name/key_name
  • Search
    • /services/search/jobs
    • /services/search/jobs/search_id
    • /services/search/jobs/search_id/events
    • /services/search/jobs/search_id/results
    • /services/search/jobs/search_id/timeline
    • /services/search/jobs/search_id/summary
    • /services/search/jobs/search_id/control
  • Streaming
    • /services/streams/search
    • /services/streams/livetail
• Configuration files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Create Regular Expressions
    • Filename
    • Format
    • Attributes
    • Splunk Reserved Keys
    • Examples
  • Add & Override Properties
    • Filename
    • Format
    • Spec
    • Attributes
    • Linemerging
    • Timestamp extraction configuration
    • Typing configuration
    • Class configuration
    • Source Type configuration
    • Examples
  • Add Input Configurations
    • Filename
    • Format
    • Input Types
    • Attributes
    • Additional Attributes
    • Examples
  • Recognize Source Types
    • Filename
    • Format
    • Examples
• Splunk Web appearance
  • How Splunk Uses Skins
    • Skins css Files
    • Images/skins directory
  • Add or remove themes
    • Create a new skin
    • Examples

Splunk Architecture

Splunk is a high performance, scalable software server written in C/C++ and Python. It indexes and searches logs and other IT data in real time. Splunk works with data generated by any application, server or device. After downloading, installing, and starting Splunk, you'll find two Splunk Server processes running on your host, splunkd and splunkweb.

• splunkd is a distributed C/C++ server that accesses, processes and indexes streaming IT data and also handles search requests. splunkd processes and indexes your data by streaming it through a series of pipelines, each made up of a series of processors.
  • Pipelines are single threads inside the splunkd process, each configured with a single snippet of XML.
  • Processors are individual, reusable C or C++ functions that act on the stream of IT data passing through a pipeline. Pipelines can pass data to one another via queues. splunkd supports a command line interface for searching and viewing results.

• splunkweb is a Python-based application server providing the Splunk Web user interface. It allows users to search and navigate IT data stored by Splunk servers and to manage your Splunk deployment through the browser interface.

splunkweb and splunkd can both communicate with your web browser via REST.

• Splunk's data store manages the original raw data in compressed format as well as the indexes into the data. Data can be deleted or archived based on retention period or maximum data store size.

• Splunk Servers can communicate with one another using a TCP-based protocol to forward data from one server to another and to distribute searches across multiple servers.

• Configuration bundles are directories of files that contain configuration settings including, user accounts, saved searches, data inputs and processing properties to easily create specific Splunk environments.

• Modules are files that add new functionality to Splunk by adding to or modifying existing processors and pipelines. They can include C++ code libraries.