Splunk (Core Components)

Splunk Forwarder, Indexer, and Search Head are three main parts of a Splunk setup. They work together like this: the forwarder sends data, the indexer stores and organizes it, and the search head lets analysts search and investigate it.

Forwarder A forwarder is a lightweight Splunk component that collects logs from a machine or source and sends them to Splunk indexers. The common type is the Universal Forwarder. Example: A Universal Forwarder installed on a Windows server sends Event Logs to Splunk. Use case: A company installs forwarders on endpoints and servers so logs are automatically sent to central Splunk indexers for monitoring. Forwarders can also load-balance traffic across multiple indexers.

Indexer An indexer is the Splunk component that receives incoming data, processes it, and stores it so it can be searched later. Example: The indexer receives firewall logs, authentication logs, and web server logs, then stores them in searchable indexes. Use case: A security team uses indexers to keep large amounts of log data centralized, searchable, and available for investigations and alerts.

Search Head A search head is the Splunk component where users run searches, create dashboards, and investigate alerts. In larger environments, it sends search requests to indexers and combines the results. Example: An analyst opens Splunk, searches for failed logins from the last 24 hours, and the search head pulls matching results from the indexers. Use case: A SOC analyst uses the search head to hunt threats, review alerts, and build dashboards without needing to log in to each server separately.

A simple way to remember it: Forwarder = sends logs Indexer = stores logs Search Head = searches logs