I want to setup departmental architecture because we are getting daily data volume is 1 GB/day.
As per the splunk documentation about departmental architecture they said required only one single instance (indexer + search head). But I divide indexer to search head through distributed search , Is this process good or anything wrong.
Hardware setup for indexer and search head
Intel x86 64-bit chip architecture
12 CPU cores at 2Ghz or greater speed per core
Standard 1Gb Ethernet NIC, optional second NIC for a management network
Standard 64-bit Linux or Windows distribution
Based on daily data volume 1GB/day we decide departmental architecture , but Is it possible to follow small tier architecture. Please let me know, if I am going in wrong direction.
For more 100 concurrent users or searches what setup I have to do in departmental architecture.
This will work for low volumes. Id be worried about disk I/o in a vm based solution.
Additionally, for 100 concurrent searches, look here : http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Accommodatemanysimultaneoussearches
Thanks for the reply,
but I have one question
for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU),
for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) .
What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day.