In a distributed deployment, different Splunk processes will serve different purposes. There are four stages of processing that are generally spread across two to four layers. The stages of processing include:
input: This stage consumes raw data from log files, ports, or scripts.
parsing: This stage splits the raw data into events, parses time, sets base metadata, runs transforms, and so on.
indexing: This stage stores the data and optimizes the indexes.
searching: This stage runs queries and presents the results to the user. All these different stages ca be accomplished in one process, but splitting them across servers can improve performance as the log volumes and search load increase.