As a new user of Splunk, you may have specific needs such as Security, Compliance, or Information Technology (IT) Operations. One of the first decisions you need to make is how to install Splunk and which type of deployment to choose. There are several options for Splunk deployment, and to help you make the right choice, you’ll need to answer the following questions:
- How much data or logs do you expect to ingest per day?
- Do you need high availability?
- Do you need disaster recovery?
Architectural Options
Based on your previous answers, the following will help guide you through choosing the right architecture.
Standalone: A single instance deployment which performs both ingestion and searching of data. [This deployment type is ideal if you do not need high availability or disaster recovery, and your daily data volume is below 100 GB]
Distributed & Clustered: Multiple indexers in the environment to ingest and search data, and 1 or 2 search heads to manage. [Choose this deployment if you need high availability or if your daily data volume is over 100 GB]
Multi-site Clustered: Multiple Clustered environments across multiple physical locations. [Choose this deployment if you need disaster recovery]
Hardware Requirement for a Splunk Machine
Now that you have decided on the architectural design for your Splunk environment, you will need to address the hardware needs. Here’s the general hardware specs for a typical Search Head and Indexer
Standalone / Search Head Hardware Requirements
- Intel x86 64-bit chip architecture
- 16 CPU cores or 32 vCPU at 2Ghz or higher speed per core
- 12GB RAM · A 1Gb Ethernet NIC
- A 64-bit Linux or Windows distribution
Indexer Specification
- Intel x86 64-bit chip architecture
- 12 CPU cores or 24 vCPU at 2GHz or higher per core (you can increase the number of cores up to 48–96 for better performance)
- 12GB RAM (you can increase up to 128 GB for better performance)
- A 1Gb Ethernet NIC
- A 64-bit Linux or Windows distribution
How Many Indexers for a Clustered Environment?
This is a big topic because many people assume that the search head is the one responsible for the speed of the searches and that’s not true. The number of indexers and their individual/combined performance is the main factor you’ll need to consider for a healthy and responsive Splunk environment. The following questions will help answer the number of indexers required:
- Daily data/log ingestion
- Number of active usersH
Storage Requirement
Finally, you will need to decide on the amount of storage needed for your search head, indexer/s and IOPS (Input/Output Operations per second) needed.
- Search Head: minimum of 300 GB (preferably 500) and 800 IOPS.
- Indexer: Storage is calculated based on (Ingestion x retention days)/2 and for the IOPS, the higher, the better. SSD is usually recommended with 25000 IOPS and higher as a minimum.
There are two other factors that should be mentioned, but as a new user, you can most likely ignore.
- Replication factor: This applies only in a clustered environment and if you need high availability, then a replication factor of 2 or 3 will double or triple your storage needs.
- Number of Indexers: If you have three Indexers for instance, then the storage required is divided upon all three.
For the next blog we will be writing about “How to Install Splunk on Linux”, stay tuned and Happy Splunking!
Reference:
