Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Departmental architecture setup for 100+ concurrent users or searches?

raghu_vedic
Path Finder
‎09-06-2017 10:24 PM

Hi,

I want to setup departmental architecture because we are getting daily data volume is 1 GB/day.

As per the splunk documentation about departmental architecture they said required only one single instance (indexer + search head). But I divide indexer to search head through distributed search , Is this process good or anything wrong.

Hardware setup for indexer and search head
Intel x86 64-bit chip architecture
12 CPU cores at 2Ghz or greater speed per core
12GB RAM
Standard 1Gb Ethernet NIC, optional second NIC for a management network
Standard 64-bit Linux or Windows distribution

Based on daily data volume 1GB/day we decide departmental architecture , but Is it possible to follow small tier architecture. Please let me know, if I am going in wrong direction.

For more 100 concurrent users or searches what setup I have to do in departmental architecture.

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎09-06-2017 11:43 PM

This will work for low volumes. Id be worried about disk I/o in a vm based solution.

Additionally, for 100 concurrent searches, look here : http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Accommodatemanysimultaneoussearches

0 Karma
Reply

raghu_vedic
Path Finder
‎09-07-2017 12:14 AM

Thanks for the reply,
but I have one question
for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU),
for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) .

What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top