OVERVIEW
In general deployment and configuration plays a vital role in every organization, it is a mapping of a logical architecture to a physical environment. As similar Splunk deployment and configuration required some additional skills, hence it includes predefined planning, mapping, illustrating the entire infrastructure, prioritizing the asset, and much more.
Splunk deployment generally classified into four major types
- Stand-alone deployment
- Distributed deployment
- Clustered deployment
- Cloud deployment
This topic discusses some major differences between stand-alone, distributed deployment, and clustered deployment.
Prioritizing/classifying the deployment types
Splunk deployment differs based on their deployment scaling and size
- Departmental
- Small enterprise
- Medium enterprise
- Large enterprise
Also Read: Splunk Architecture: Forwarder, Indexer, And Search Head
Types of Deployments
Stand-alone / Single Deployment
A single instance that combines indexing and searches managed by a Standalone Deployment [single instance], includes basic features like
- Searching
- Indexing
- Parsing
- Reporting
- Aslerting
- Dashboard and many
Single instance deployment is typically used when there are a limited number of users and a very limited amount of data flowing into Splunk.
| Indexing Volume | User | No of forwarder | Indexer count |
| 0-20GB | < 10 | MIN 10MAX 100 | 1 |
Generally, single/stand-alone instances are majorly used for deployment for a lab or test environment, or a small system with one or two users running concurrent searches.
Also Read: Free Automated Malware Analysis Sandboxes for Incident Response
Distributed Deployment
A distributed deployment includes instances across multiple machines, achieve high availability, and ensure disaster recovery with data replication and multisite deployment
| Indexing Volume | User | No of forwarder | Search head | Indexer count |
| 20-100GB | < 100 | MIN 100MAX 200 | 1 | 2 to 3 |
Generally distributed deployments are majorly used for deployment for medium-scale organizations to monitor all internal activity.
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
Clustered Deployment
A clustered deployment allows users to share the resources across the set of search heads, helping to boost both indexing and searching capacity. It’s usually deployed with medium and large-scale organizations.
| Indexing Volume | User | No of forwarder | Search head | Indexer count |
| 300 – TBs[per day] | > 100 | MIN 10MAX 1000 | 3+ | 10 + |
Generally distributed deployments are majorly used for large-scale organizations.
Cloud deployment
The process of migrating on-premise deployment to Splunk cloud platform, which includes a similar deployment process as on-premise setup functionality includes
- Collecting
- Searching
- Monitoring
- Reporting
- Analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers
- Active Directory/Single sign-on integration
- Allow list and deny list IP addresses
- Send data securely using Splunk Universal Forwarder and more
| Indexing Volume | User | No of forwarder | Search head | Indexer count |
| As per contract | As per contract | As per contract | As per contract | As per contract |
Generally, cloud deployments are majorly used for managing machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers.
Conclusion
The blog details explain the various deployment in SPLUNK with the basic differences between different deployments, on the upcoming blog we are gone discuss the Challenges in SPLUNK Deployment & Configuration.