There are 3 main components in Splunk:
1. Splunk Forwarder - It is used to collect the logs from the various remote log sources.
2. Splunk Indexer - It is used to store the data coming from Forwarder. Here the data is parsed into events. The search query is fulfilled by Indexer.
3. Splunk Search Head - It provides a GUI from where we can interact with Splunk. All the search and queries are performed here.
This is the brief explanation of Splunk Architecture.