All Apps and Add-ons

If deploying a Splunk instance that will index 500Gb/Day, what would be the recommended architecture for this type of environment?

pkaranam
New Member

Hi,

Need your help/suggestion on deploying High Availability (HA) Splunk architecture on our private AWS cloud system.

We are planning to setup new Splunk instance with 500GB/Day indexing on private AWS system. So we need suggestions to deploy HA Splunk Architecture, please share the architecture details and with size planning and also need details like below.

Search Head – #No of SH CPU/Memory/Storage?
Indexer – #No of indexers and CPU/Memory/Storage?
Deployment Server – # No of DS and CPU/Memory/Storage?
Heavy Forwarders – #No of HF and CPU/Memory/Storage?

And required clustering for SH and Indexers and some more info would be helpful. Since going through couple of documents but getting confused and its my first attempt for big setup from scratch. So please help me with above details.

Thanks!
Pavan

0 Karma

goodsellt
Contributor

We have the same license amount and currently run an AWS solution as well, so here are our specs as an example for you, please note that we use Splunk Enterprise Security so I've substituted M4 instances for C4 instances where they would be more appropriate without ES (I did it so it wouldn't moan about RAM).

Indexers:
4 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk", 3 TB GP2 Volume "/data/splunk_hot", 8 TB ST1 Volume "/data/splunk_cold", 1 TB ST1 Volume "/data/splunk_frozen" ~ 9 months live retention based on our current loads).

Search heads:
1 x C4.4xlarge (100 GB GP2 Volume "/opt/splunk") - General Use
1 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk") - Enterprise Security

Cluster Master Server:
1 x C4.xlarge (100 GB GP2 Volume "/opt/splunk")

Settings:
Multisite - true
2 indexers and 1 sh per site, sites are defined by AWS Availability Zones, Master sits on site1
All indexes are replicated, rep factor is origin:1, total:2 for rep and search factor.
Summary replication - true
UseACK for forwarders - true

I've not listed other devices as they're not relevant to our setup, things like deployment servers and heavy forwarders are defined more by process requirements/geolocation for my Org (we have both cloud and on prem forwarders). The above core system handles search load for ~20 non security users, ~12 security users, and the system search load.

0 Karma

pkaranam
New Member

Thanks everyone for your response!

Hi goodsellt,

As you suggested with your AWS setup configuration, below configs am gonna send to my seniors. But could you please share your thoughts on below comments?

Search Head : "2 X C4.4xlarge (150 GB GP2 Volume ""/opt/splunk"")". Will not be using Splunk ES for now.

Indexer :
"4 X M4.4xlarge
(100 GB GP2 Volume ""/opt/splunk"",
3 TB GP2 Volume ""/data/splunk_hot"",
8 TB ST1 Volume ""/data/splunk_cold"",
1 TB ST1 Volume ""/data/splunk_frozen"" )"

Deploy Server we might require
"1 X C4.xlarge (100 GB GP2 Volume ""/opt/splunk"")"

Cluster Master

"1 X C4.xlarge (100 GB GP2 Volume ""/opt/splunk"")"
this cluster master can we use it for both SH and Indexer?

Heavy Forwarder - #No of server and which AWS instance would be sufficient ? we have around 20 data sources as of now.

Thanks!
Pavan

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

I would recommend reviewing the following doc that gives some general guidance on how to plan out the deployment:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Summaryofperformancerecommendations

Jacob
Sr. Technical Support Engineer
0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

adonio
Ultra Champion

Congrats on your first setup! there are some vaiables missing in order to give a full solution such as: How many users? How many clients (forwarders)? what are the data sources? what are scaling considerations? and more.
Plenty of answers are in the docs: http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Referencehardware
this presentation from .conf is a good resource as well: https://conf.splunk.com/session/2014/conf2014_KarandeepBains_Splunk_Deploying.pdf
Regardless, I Will recommend to contact your Splunk SE to help with best practices and solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...