Solved: Re: What is the difference between splunkagent and...

sarnagar · ‎04-21-2015

splunk and splunkforwarder

MuS · ‎04-22-2015

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

View solution in original post

MuS · ‎04-22-2015

Hi sarnager,

according to docs http://docs.splunk.com/Special:SplunkSearch/docs?q=agent there is none:

Forwarders (Splunk agents) allow you to install a lightweight version of Splunk on any number of distributed sources to send data to a central Splunk indexer.

I think the difference is done by the people talking about forwarder; some call them agent and others call them forwarder
You can find no entry for agent in the Splexicon http://docs.splunk.com/Splexicon so if you use forwarder most Splunk users will understand you.

Hope that helps ...

cheers, MuS

sarnagar · ‎04-22-2015

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

sarnagar · ‎04-22-2015

Okay...So what is the need of "/opt/splunk/bin/splunk status -Splunk indexer/Web UI instance" on the server?

MuS · ‎04-22-2015

I think you should start here http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Aboutindexesandindexers

and here http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Aboutforwardingandreceivingdata

to get an idea what an indexer is and for what it is needed. The second link is for the forwarder.

jeffland · ‎04-22-2015

I'm not sure why you would want such a setup, as your full splunk install can do whatever the forwarder can, and it's more complicated to configure this way.

MuS · ‎04-22-2015

/opt/splunk/bin/splunk status is your Splunk indexer/Web UI instance and /opt/splunkforwarder/bin/splunk status is your Splunk forwarder which usually reads logs on remote servers and sends it to the Splunk indexer.

jeffland · ‎04-22-2015

A forwarder does not index your data, it only "collects" it and then sends ("forwards") it to an indexer. Other than forwarders, important splunk roles are indexers and search heads. See here for example.
I'm not sure what a splunk agent is. Where did you come across that?

sarnagar · ‎04-22-2015

Hi MuS and jeffland,Thankyou for the response.
For ex: When I run the splunk status command on a server on which splunk is installed I get two diffrent PID.
/opt/splunk/bin/splunk status - gives a diffrent PID
and
/opt/splunkforwarder/bin/splunk status - gives a diffrent PID. Whts the diffrenece between these two processes giving diffrent PID?

what does this "/opt/splunk/bin/splunk status " refer to?

What is the difference between splunkagent and splunkforwarder?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk