Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Installing SPLUNK in SAN

eantonio
Path Finder
‎09-19-2011 01:28 PM

We use NetApp in our environment. Do you recommend creating two separate volumes for SPLUNK installation. First volume (with 1 LUN) to hold the C: drive and 😧 drive, Second Volume (with 1 LUN > RDM) to hold the Splunk data?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-19-2011 02:26 PM

The Splunk reference architecture is a good place to start -- http://docs.splunk.com/Documentation/Splunk/latest/Installation/CapacityPlanningforaLargerSplunkDepl.... Except, there's no real mention of SAN storage there. Remember, Splunk is very highly I/O intensive - like an enterprise OLTP database. Splunk recommends RAID-10 for storage because of the higher IOPS available there, compared to RAID4/5/6. The typical Splunk indexer "building block" does not use SAN storage, but rather has a number of fast local disk in RAID10. If one indexer "block" cannot meet your performance, add more -- each with its own local storage. ( http://blogs.splunk.com/2009/10/27/add-a-server-or-two/ ) In everything but the largest deployments, this is far more cost effective than using SAN storage with Splunk.

But if you already have the NetApp storage on the floor, then there is no reason NOT to use it -- that is, as long as it has the available IOPS capacity to meet the needs of your indexing workload. (And, you'll need to make sure that providing that IOPS capacity does not negatively impact other systems using the shared storage.)

In terms of simple partition/filesystem layout - what you're discussing makes reasonable sense. We give Splunk two filesystems - one for the product (code) and the other for the indexes.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-19-2011 02:26 PM

The Splunk reference architecture is a good place to start -- http://docs.splunk.com/Documentation/Splunk/latest/Installation/CapacityPlanningforaLargerSplunkDepl.... Except, there's no real mention of SAN storage there. Remember, Splunk is very highly I/O intensive - like an enterprise OLTP database. Splunk recommends RAID-10 for storage because of the higher IOPS available there, compared to RAID4/5/6. The typical Splunk indexer "building block" does not use SAN storage, but rather has a number of fast local disk in RAID10. If one indexer "block" cannot meet your performance, add more -- each with its own local storage. ( http://blogs.splunk.com/2009/10/27/add-a-server-or-two/ ) In everything but the largest deployments, this is far more cost effective than using SAN storage with Splunk.

But if you already have the NetApp storage on the floor, then there is no reason NOT to use it -- that is, as long as it has the available IOPS capacity to meet the needs of your indexing workload. (And, you'll need to make sure that providing that IOPS capacity does not negatively impact other systems using the shared storage.)

In terms of simple partition/filesystem layout - what you're discussing makes reasonable sense. We give Splunk two filesystems - one for the product (code) and the other for the indexes.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...