topic Would Multiple Enterprise Security Splunk Instances Affect Indexing? in Getting Data In

Would Multiple Enterprise Security Splunk Instances Affect Indexing?

NightShark — Thu, 07 Oct 2021 07:36:56 GMT

Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled.

I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment.

Thanks,

Re: Would Multiple Enterprise Security Splunk Instances Affect Indexing?

gcusello — Thu, 07 Oct 2021 07:52:52 GMT

Hi @NightShark,

Splunk best practices hint to use dedicated Search Heads for ES, separated from the other apps SHs.

Indexers are usually shared but obviously the load of ES is usually harder than usual apps becuase there are many accelerated Datamodels and scheduled searches, so you have to design with much attention the resources of your system.

So, if you see at https://docs.splunk.com/Documentation/ES/6.6.2/Install/DeploymentPlanning, you need at least (it depends on the indexed logs, scheduled correlation searches and users) 16 CPUs and 32GB of RAM for each Indexer; if you have other apps that use those Indexers you have to give to the Indexers more CPUs and RAMs.

Ciao.

Giuseppe

Re: Would Multiple Enterprise Security Splunk Instances Affect Indexing?

NightShark — Thu, 07 Oct 2021 08:00:06 GMT

Hello Giuseppe,

Yes, that is exactly what I was thinking. Is more licensing being used while having ES installed on 3 instances?

So basically having 3 ES Instances also triples the amount of load on the indexers? All the instances are set to high performance recommendations but I was wondering if apart from CPU and RAM load, if it would increase disk usage aswell?

Thank you for the quick response!

Re: Would Multiple Enterprise Security Splunk Instances Affect Indexing?

gcusello — Thu, 07 Oct 2021 08:24:59 GMT

Hi @NightShark,

let me understand: when you say "Three Es instances" are you speaking of three Search Heads that use the same indexers or three stand alone ESs?

I think that you're speaking of the first choice, in this case you need to exactly designe your reference hardware, taking in consideration:

all the indexed data (not more than 100 GB/day for each Indexer),
the activated Correlation searched and accelerated Datamodels,
the users that usually use the system.

Rememeber that this usually is a work for Professional Services or at least for a Splunk Architect, it isn't a job for Community!

If this answer solves your need, please, accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao.

Giuseppe

P.S: Karma Points are appreciated 😉

Re: Would Multiple Enterprise Security Splunk Instances Affect Indexing?

NightShark — Thu, 07 Oct 2021 13:06:34 GMT

Hello,

Thank you for your response, I have forwarded the issue towards Splunk Case to gain further insight.

Regards,

Re: Would Multiple Enterprise Security Splunk Instances Affect Indexing?

gcusello — Thu, 07 Oct 2021 13:10:16 GMT

Hi @NightShark,

good idea, but I think that they will answer that you have to engage a Splunk Architetct or Professional Services because you haven't a bug.

Ciao.

Giuseppe