The ES application should be uploaded to the search head, which is the component that runs the ES user interface and executes the searches, alerts, and reports. The search head should be dedicated to ES and not run any other applications. The indexer is the component that indexes the data and stores it in buckets. The KV Store is a feature that stores and manages data as key-value pairs. The dedicated forwarder is a component that collects data from various sources and forwards it to the indexer. None of these components can run the ES application. References =
[Install Splunk Enterprise Security]
[Splunk Enterprise architecture]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit