Deployment Architecture

Departmental architecture setup for 100+ concurrent users or searches?

raghu_vedic
Path Finder

Hi,

I want to setup departmental architecture because we are getting daily data volume is 1 GB/day.

As per the splunk documentation about departmental architecture they said required only one single instance (indexer + search head). But I divide indexer to search head through distributed search , Is this process good or anything wrong.

Hardware setup for indexer and search head
Intel x86 64-bit chip architecture
12 CPU cores at 2Ghz or greater speed per core
12GB RAM
Standard 1Gb Ethernet NIC, optional second NIC for a management network
Standard 64-bit Linux or Windows distribution

Based on daily data volume 1GB/day we decide departmental architecture , but Is it possible to follow small tier architecture. Please let me know, if I am going in wrong direction.

For more 100 concurrent users or searches what setup I have to do in departmental architecture.

Tags (1)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This will work for low volumes. Id be worried about disk I/o in a vm based solution.

Additionally, for 100 concurrent searches, look here : http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Accommodatemanysimultaneoussearches

0 Karma

raghu_vedic
Path Finder

Thanks for the reply,
but I have one question
for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU),
for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) .

What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...