What is the difference between a Splunk forwarder, indexer, and search head? [Intermediate]
Answer
A Splunk forwarder collects and forwards data, an indexer receives and stores indexed events, and a search head provides the UI/API and coordinates searches across indexers.
Technical explanation
Universal Forwarders are lightweight agents on hosts or nodes.
Indexers handle parsing, indexing, storage, bucket management, and search execution over local data.
Search heads manage SPL execution plans, knowledge objects, dashboards, saved searches, and user access.
Hands-on example
Troubleshooting example: if logs are missing, check forwarder status and outputs.conf first. If data is received but not searchable, check indexer queues and index config. If one user's dashboard fails, inspect search head permissions, macros, and saved searches.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]