Splunk Series III: System Administrator Class (Splunk Components, Processes and Installation)

Leave a Comment / Security / By

Getting back from where we left over from yesterday. Here is a quick and interesting view of the components, processes and the Installation planning of the solution. I know, these post maybe repetitive in nature, but its the foundation of a well implemented solution

Core Components and Processes

This section is dedicated to describe all the components and processes and a brief explanation of Splunk

Search Heads

* Allow users to submit search request using SPL (Search Processing Language)
* Distribute search requests to the indexers
* Consolidate results and render visualizations of results
* Store search-time knowledge objects (Field extractions, alerts and dashboards)

Indexers

* Receive incoming data from forwarders
* Index and store data in Splunk indexes
* search data in response to requests from Search Heads

Forwarders

* Monitor configured inputs and forward data to the indexers (best practice data collection method)
* Requires minimal resources and typically installed on the machines that produce the data

Deployment Server

* Acts as a centralized configuration manager for any number of deployment clients
* Requires running on an enterprise instance

Installation Overview

As with any installation, preparation and planning are key!

* Deployment Planning
* Pre-Installation
* Installation
* Post Intstallatoion

UntitledImage

Software in Splunk Enterprise Package

This package contains different server roles and here is a quick high level overview of all of them:

UntitledImage

The Universal Forwarded is a package installed directly into the machines that produce the data, think of it like a small Agent that collects and send the data to Splunk Indexers
UntitledImage

Server and Hardware

Server and Hardware recommendations vary from the main function you are planning, but for the majority you will be dealing with Indexers and Search Heads

Indexers

* OS Linux or Windows 64-bit distribution
* Memory 12 – 128GB of RAM
* CPU 12 – 48 CPU COres 2+ GHz
* Disk Disks capable of 800+ IOPs – SSD Subsystems for Hot/Warm Buckets

Search Heads

* OS Linux or Windows 64-bit distribution
* Memory 12GB of RAM
* CPU 16 CPU COres 2+ GHz
* Disk 2 10K RMP 300GB SAS Drives or better

For some light reading on selecting the systems holding a Splunk deployment, here are some amazing documents directly from Splunk
* Reference Hardware
* System Requirements

Lastly for this particular post we will go over the network Default ports

Default Netowrk Ports

UntitledImage

What is next?

I know the posts are getting a bit longer and full of information that was never shared from the different classes as they were very fundamental in nature. The next section will go over some best practice configurations and ways of boosting your Splunk installation in Linux

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top