# Splunk: Basics

As the leading SIEM solution, Splunk allows for collecting, analyzing, and correlating logs in real-time.&#x20;

## <mark style="color:red;">Splunk Components</mark>

Splunk's three main components are the Forwarder, Indexer, and Search Head.&#x20;

### <mark style="color:orange;">Splunk Forwarder</mark>&#x20;

Splunk Forwarder is a lightweight agent that can be installed on an endpoint wished to be monitored. The Forwarder will collect and send data to the Splunk instance and does not affect the endpoint's performance due to minimal processing of resources.&#x20;

<mark style="color:green;">Key data sources include:</mark>

* Web server generating web traffic.
* Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.
* Linux host generating host-centric logs.
* Database generating DB connection requests, responses, and errors.

### <mark style="color:orange;">Splunk Indexer</mark>

Splunk Indexer is the main component as it processes the received data into normalized field-value pairs and determines the data types as stored events.  This is beneficial since processed data is easy to search and analyze.

### <mark style="color:orange;">Search Head</mark>

Splunk Search Head allows for users to search the indexed logs. This is made possible by using Splunk SPL (<mark style="color:purple;">Search Processing Language</mark>). The request is sent to the indexer which returns relevant events as field-value pairs. Additionally, Search Head can transform results into visualizations.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jacob-taylor.gitbook.io/security-analyst/path-5/security-information-and-event-management/splunk-basics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.