All Apps and Add-ons

Splunk Dashboards Beta App - System Requirements

Communicator

We are currently running a single-instance of Splunk (1 search, 1 indexer) on a c5.4xlarge AWS EC2 instance in a POC environment. The single-instance specs are as follows:

  • 16 vCPU

  • 32 GB Memory

  • Network Bandwidth: 10 Gbps

  • EBS Bandwidth: 4.8 Gbps

We have about 5 users concurrently accessing Splunk and executing search queries. Additionally, our Splunk instance is integrated with ServiceNOW for ticket generation, and we're also leveraging the AWS Add-on for Splunk to ingest AWS logs. We are also ingesting MuleSoft logs via an API connector, but shall eventually transition to the Splunk HTTP Event Collector (HEC) to receive the logs through either a push/pull mechanism.

Currently, we are not experiencing any performance issues and are planning to integrate additional apps/add-ons in the future.

We recently heard about the Splunk Dashboards App (Beta): https://splunkbase.splunk.com/app/4710/ , which looks like a great app for dashboarding and meets some of our major requirements for visualizing large and complex data sets. Currently, we have 4 dashboards that leverage both SPL, as well as Simple XML/in-line CSS and JavaScript, which we plan to carry-over to the Splunk Dashboards App framework after installing it. While we understand that the App's Splunkbase page states that there is no support for converting dashboards with Simple XML/in-line CSS/JS, we still want to proceed with the conversion as a POC to understand what the impacts would be.

Based on the specifications mentioned above, does anyone see potential concerns from a performance/bandwdith standpoint should we proceed with installing and using the Splunk Dashboards App?

Thanks!

0 Karma

Legend

Hi @adnankhan5133,

the reference hardware seems to be ok for your need but to be more sure, you have to analyze how many searches the five users are running.

You have to remember that every search (and subsearch) take a CPU, so if you have five users that run a dashboard with ten real time searches, your hardware isn't sufficient.

So the best approach is to start with your hardware and analyze the situation using the Splunk Monitoring Console that gives to you a situation of the load of your machine, so you can understand if there are queues or problems.

Put much attention to the IOPS of the storege because the real bottleneck of Splunk is storage: Splunk recommends at least 800 IOPS for the storage.

Ciao.

Giuseppe

0 Karma

SplunkTrust
SplunkTrust
The Splunk Dashboard Beta app has no system requirements beyond that of a normal search head. It should not impose any significant performance degradation. If you learn differently then the beta team will want to hear about it.
---
If this reply helps you, an upvote would be appreciated.