Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Departmental architecture setup for 100+ concurrent users or searches?

raghu_vedic
Path Finder
‎09-06-2017 10:24 PM

Hi,

I want to setup departmental architecture because we are getting daily data volume is 1 GB/day.

As per the splunk documentation about departmental architecture they said required only one single instance (indexer + search head). But I divide indexer to search head through distributed search , Is this process good or anything wrong.

Hardware setup for indexer and search head
Intel x86 64-bit chip architecture
12 CPU cores at 2Ghz or greater speed per core
12GB RAM
Standard 1Gb Ethernet NIC, optional second NIC for a management network
Standard 64-bit Linux or Windows distribution

Based on daily data volume 1GB/day we decide departmental architecture , but Is it possible to follow small tier architecture. Please let me know, if I am going in wrong direction.

For more 100 concurrent users or searches what setup I have to do in departmental architecture.

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎09-06-2017 11:43 PM

This will work for low volumes. Id be worried about disk I/o in a vm based solution.

Additionally, for 100 concurrent searches, look here : http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Accommodatemanysimultaneoussearches

0 Karma
Reply

raghu_vedic
Path Finder
‎09-07-2017 12:14 AM

Thanks for the reply,
but I have one question
for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU),
for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) .

What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...