- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk enterprise sizing with ES
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everybody,
I am sizing hardware for splunk enterprise and enterprise security solution.
We are designing that for 80GB/day data for Splunk enterprise and enterprise security and did following hardware sizing for 6 months data retention. We kept in view the HA factor as well.
Search Heads x3
Memory 16GB
Onbox storage: 1TB X 2 Raid 1
Processor 8Core X 2 @ 2.1 GHz
RAID controller yes
Power AC
PC dual 2 port 16GB
NIC 1G X4 etnernet
Indexersx3
Memory 16GB
Onbox storage 1TB X 2 Raid 1
Processor 8Core X 2 @ 2.1 GHz
RAID controller yes
Power AC
FC card dual 2 port 16GB
NIC 1G X4 etnernet
Master Server x1
Memory 16GB
Onbox storage 500GB X 2 Raid 1
Processor 8Core X 2 @ 2.1GHz
RAID controller yes
Power AC
FC card dual 2 port 16GB
NIC 1G X4 etnernet
Heavy Forwarders x 2
Memory 16GB
Onbox storage 500GB X 2 Raid 1
Processor 8Core X 1 @ 2.1GHz
Raid Controller yes
Power AC dual
NIC 1G X4 etnernet
SAN
30TB SAN storage with 2 SAN switches. RAID 10 OR 1
Plan is to make SH cluster and indexer cluster.Master server is also a deployment server.
Can someone advice whether above sizing will be adequate for 75GB/day data when used with splunk entperise and enterprise security, In not please advice on any incremental changes?.
Can above solution be able to run 4 concurrent searches on dashboard without service deterioration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The general rule of thumb for non-clustered Indexers for ES is NO MORE than 100GB/indexer. I would add 10% indexers if you are going to use clustering. So you are fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The general rule of thumb for non-clustered Indexers for ES is NO MORE than 100GB/indexer. I would add 10% indexers if you are going to use clustering. So you are fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your designed Search factor (SF) and Replication factor( RF). Do you have another instance/server acting as 'deployer'? (to manage config for SHC?)
Have you thought of which correlation searches would you be turning on in the Enterprise Security (ES)? (as this will use concurrent searches in addition to your users, scheduled jobs etc..)
ES uses datamodels and based on the amount of data which you have in the datamodel acceleration, it will consume additional storage in the indexing tier. that needs to be factored in based on the datamodels planned to be used/correlation searches enabled.
You can also check this to get a some idea/approach - https://splunk-sizing.appspot.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your designed Search factor (SF) and Replication factor( RF). Do you have another instance/server acting as 'deployer'? (to manage config for SHC?)
Replication factor =3 since i have 3 SH and 3 INDXers, Serach head cluster is also 3.
I have not added deployer , thanks for info i will add that.I will also be adding deployment server.Will Appreciate if you can mention the recommend specs for both servers.
Have you thought of which correlation searches would you be turning on in the Enterprise Security (ES)? (as this will use concurrent searches in addition to your users, scheduled jobs etc..)
I have not decided that yet . Need details on that if you can point me to some doc that relates that to hardware sizing.
How to account for storage requirement needed for ES data models.
I have used same link as mentioned by you , for sizing and it says i will be needing 30TB storage.
Do i need to add additional cores or RAM to indexers or Search heads for Enterprise security application?.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi splunk team,
Need confirmation, how many sizing that my company need that we will integrate to splunk siem ?
there are 104 source log, with 30 days log retention
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any update on this ?.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
