• This guide
  • About the Splunk Deployment Guide
• Splunk components
  • Components of a Splunk deployment
    • Indexer
    • Forwarder
    • Deployment server
  • Data inputs
    • File and directory inputs
    • FIFO queues
    • Network ports
    • Scripted inputs
    • Windows event logs and WMI
• Deployment options
  • Single index server deployment models
    • Splunk installed on existing aggregation host
    • Splunk with direct network inputs
    • Splunk installed on a host receiving batched IT data moves
    • Splunk indexing data on a remote mount / network storage
    • Splunk installed on all servers forwarding data
  • Multiple index server deployment options
    • Distributed search with data balancing
    • Data cloning for high availability
    • Data routing
    • Index and search tiers for massive scalability
  • High availability and Splunk
    • Considerations for Splunk Web objects and user data in high availability
    • Working with load balancers
    • Files to rsync
• Deployment tuning
  • Splunk tuning factors
  • Hardware tuning factors
    • Input / Output
• Capacity planning
  • Splunk benchmarks
    • Benchmark test overview
    • Benchmark tests

Single index server deployment models

You have many deployment options even when using a single Splunk index server. Let's see how you can use a single Splunk index server with different IT data inputs.

Splunk installed on existing aggregation host

In this deployment model, Splunk is installed on an existing aggregation host and indexes log data as it is written to disk by the local system's syslog receiver. These deployments are simple to execute, and you can easily increase their scope at a later point.

Splunk with direct network inputs

It's also simple to implement network-based data gathering with Splunk. Splunk supports multiple TCP and UDP inputs to enhance deployment flexibility.

Splunk installed on a host receiving batched IT data moves

Another way that you can deploy Splunk is with batched data moves. Remote systems copy log data after rotation intervals to a central location, where Splunk is indexing data.

Splunk indexing data on a remote mount / network storage

You can also index data on a network storage device or remote mount. Splunk indexes the data on the network storage device with all the flexibility of other configurations.

Splunk installed on all servers forwarding data

In this deployment, Splunk is installed on all systems in the topology. Deploying Splunk on a wide scale provides significant benefits to data access, change management and distribution capabilities. By installing Splunk on more systems, you can access local application logs, capture status information, monitor change on your systems, use enhanced data distribution features such as routing, cloning and balancing, and more.