Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Architecture question for Splunk Indexers

d_lim
Path Finder
‎07-01-2021 08:13 PM

As we have disk storage size budgets, would like to know which is better, 

2 IDXs with 1RF/1SF cluster, or 2 standalone indexers. We also on separate instances have 1 ES SH, 3 HFs, 1MN/DS.
 
In terms of performance, will there be any differences?
 
Thanks.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-01-2021 11:10 PM

Hi @d_lim,

There isn't a great performance difference between Clustered and not clustered Indexers, obviously in Clustered, Splunk must manage alignments and this gives a little overload than not clustered, but I think that performaces isn't the real question in this case: do you need HA or not?

If you need HA, the only choice is Clustered; if you don't need HA not clustered it's better because clustered Indexers require double storage than not clustered.

In addition not clustered indexers don't require MN.

Then I don't understand why you have a cluster with 1 RF 1SF, in other words you have a cluster without HA; probably you don't need HA!

At least, it's a best practice to have a dedicated Master Node (at most also License Master), and a dedicated Deployment Server (if it has to manage more than 50 clients).

Anyway, the Splunk Architecture design isn't a problem to solve with some answer in Community, I hint to call a Splunk Architect to review your Architecture.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-01-2021 11:10 PM

Hi @d_lim,

There isn't a great performance difference between Clustered and not clustered Indexers, obviously in Clustered, Splunk must manage alignments and this gives a little overload than not clustered, but I think that performaces isn't the real question in this case: do you need HA or not?

If you need HA, the only choice is Clustered; if you don't need HA not clustered it's better because clustered Indexers require double storage than not clustered.

In addition not clustered indexers don't require MN.

Then I don't understand why you have a cluster with 1 RF 1SF, in other words you have a cluster without HA; probably you don't need HA!

At least, it's a best practice to have a dedicated Master Node (at most also License Master), and a dedicated Deployment Server (if it has to manage more than 50 clients).

Anyway, the Splunk Architecture design isn't a problem to solve with some answer in Community, I hint to call a Splunk Architect to review your Architecture.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

d_lim
Path Finder
‎07-02-2021 12:02 AM

Hi Giuseppe, thanks for your response.

My current setup is 1MN/DS and indexer, for future scalability. However there are storage budget at the moment so HA is not a requirement.

Does carrying out searches from the searchhead get delegated to the indexer via MN?

If yes, having the MN and DS role in 1 instance, the performance would be affected i believe?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-02-2021 12:45 AM

Hi @d_lim,

if you don't need HA, you don't need Cluster and MN and You can configure your SH to search in the two indexers.

If you want to maintain Cluster for future HA needs, you can use the Cluster (with a dedicated MN) and configure the SH to point to the MN, so MN can answer giving the addresses of all Indexes in the cluster.

Remember that MN and Ds must be on dedicated servers!

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...