https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452844#M21013 <P>hello there,<BR /> plenty of information is missing, examples:<BR /> how much data (gp per day) do you plan to ingest?<BR /> what are the indexer and search head specs? (CPU, Memory, Disk)<BR /> how may concurrent users (searches) are you anticipating?<BR /> do you plan to scale in the future?</P> <P>however, your overall topology makes sense and seems like a good start<BR /> good luck, and please share your progress and challenges and we would love to assist on your journey</P> <P>hope it helps</P> Sun, 24 Mar 2019 01:15:21 GMT adonio 2019-03-24T01:15:21Z https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452843#M21012 <P>Now I want to learn to make Splunk on a small scale for SOC, but before that, let me give you a picture of the topology that I will make at home.</P> <P>It's topology is right to build? and is this possible to run accordingly?</P> <UL> <LI><A href="https://ibb.co/kyXjPC9">https://ibb.co/kyXjPC9</A></LI> </UL> <P><STRONG>For Details:</STRONG><BR /> SH : 192.168.1.20<BR /> IDX : 192.168.1.21<BR /> UF1 : 192.168.1.30 | UF2 : 192.168.1.31 | HF1 : 192.168.1.32</P> <P>Of all this, what I really need is to get data from snort.. I want to use Firegen for Snort App but that requires the help of the Splunk DB Connect App that I will install on HF. That way, later the DB Connect App will be connected toanyard2's MySQL in snort.</P> <P>Please.. teach me and give me advice.. I want to learn more about Splunk.<BR /> Thank you</P> <P><STRONG>Links:</STRONG></P> <OL> <LI>DB Connect App - <A href="https://splunkbase.splunk.com/app/2686/">https://splunkbase.splunk.com/app/2686/</A></LI> <LI>Firegen for Snort App - <A href="https://splunkbase.splunk.com/app/4118/">https://splunkbase.splunk.com/app/4118/</A></LI> <LI>Splunk Docs - <A href="https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks">https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks</A></LI> <LI>Firegen Readme File - <A href="https://pastebin.com/VDXkR71n">https://pastebin.com/VDXkR71n</A></LI> </OL> Fri, 22 Mar 2019 07:52:07 GMT https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452843#M21012 gibranduatiga 2019-03-22T07:52:07Z https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452844#M21013 <P>hello there,<BR /> plenty of information is missing, examples:<BR /> how much data (gp per day) do you plan to ingest?<BR /> what are the indexer and search head specs? (CPU, Memory, Disk)<BR /> how may concurrent users (searches) are you anticipating?<BR /> do you plan to scale in the future?</P> <P>however, your overall topology makes sense and seems like a good start<BR /> good luck, and please share your progress and challenges and we would love to assist on your journey</P> <P>hope it helps</P> Sun, 24 Mar 2019 01:15:21 GMT https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452844#M21013 adonio 2019-03-24T01:15:21Z https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452845#M21014 <P>I am sorry for late reply..</P> <P>I want to process data as much as 20-50 GB per day.<BR /> for IDX &amp; SH specifications for example:<BR /> Intel i7-5820K CPU 3.30GHz CPU<BR /> 32GB RAM with RAID</P> <P>for the future maybe I will add a scale to a larger one as the needs are needed.</P> <P>by the way, what about dns loadbalance? do I have to implement it too?</P> <P>thank you..... @adonio</P> Mon, 25 Mar 2019 00:33:10 GMT https://community.splunk.com/t5/Deployment-Architecture/Small-Deployment-Splunk-for-SOC/m-p/452845#M21014 gibranduatiga 2019-03-25T00:33:10Z