Indexes, indexers, and clusters
Remember that Splunk indexes are a repository for all the Splunk data. Indexing (part of the Splunk data pipeline) is performed by an indexer.
Indexers create and use indexes. An indexer is simply a Splunk instance configured to only index data. A Splunk instance can perform indexing as well as everything else, but typically in a larger, distributed environment, the functions of data input and search management are allocated to different Splunk instances. In a larger, scaled environment, you will include forwarders and search heads.
Forwarders consume the data, indexers search and index the data, and search heads coordinate searches across the set of indexers.
A cluster is a group of indexers (sometimes referred to as nodes) that copy each other's data (you will find more on this later in this chapter).
There are three types of nodes in a cluster:
Master node: The master node is a specialized type of indexer to manage the cluster
Peer nodes (multiple): These...