Hello Splunkers!
I am currently setting up a distributed Splunk system in our company.
It consists of: 2 Indexers and a Cluster Master Node, a standalone Search Head and a standalone Deployer/License Master.
Please help me to clarify the logic behind such system.
As far as I understand it currently, the complete workflow looks like the following:
1. Forwarders send data directly to the Indexers (to both of them by turn, as it's configured with inputs.conf), they use TCP:9997 for that type of communication.
2. After the data reaches one of the Indexers, it got indexed first, than Indexers replicate received data to each other, using TCP:8080 for that.
That's it with data getting into Splunk.
After it's indexed, we could start searching, and that's how it works, as I see:
3. We get into the Search Head via web, using TCP:8000, then we type a query and the search itself begins.
4. Search Head tells the Master Node what exact kind of data needs to be found, using TCP:8089.
5. Then, the Master Node tells the Indexers what kind of data they need to give back, using again TCP:8089.
6. Then, both Indexers (Search Factor=Replication Factor=2) send the search result to the Master Node simultaneously (Improving the search speed) via TCP:8089.
7. And after that, the Master Node finally sends the search result to the Search Head via again TCP:8089, where it's available for a user.
If that is all described correctly, then I have one more question on License counting: Does each separate indexer tell the License server about how much data it has collected, or the Indexing Cluster Master Node tells the License Server what amount of data has been indexed by the Indexers?
↧