Home > Workload Solutions > Data Analytics > White Papers > White Paper—Cloud Native Splunk Enterprise with SmartStore—Predictive Maintenance for IT Operations > Splunk components
The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.
The Splunk forwarder streams data from machine or IT systems to a data receiver, which is usually a Splunk indexer where you store your Splunk data. Universal forwarder streaming lets you monitor data in real time. The forwarder also ensures that your data is correctly formatted before sending it to Splunk.
The indexer is the Splunk component that transforms raw data into data records called events and places the results into a repository called an index. The indexer can also perform other fundamental Splunk Enterprise functions of data input and search management in smaller deployments.
In a distributed search environment, a search head handles search management functions, directing search requests to a set of search peers and then merging the results back to the user. Distributed search provides horizontal scaling, so that a single Splunk Enterprise deployment can search and index arbitrarily large amounts of data. Distributed search is also useful for correlating data across data silos.