Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Deployment hardware question.

brentsinawski
Explorer
‎12-16-2011 12:26 PM

Hello,
We are using splunk for our alerting, log collection and performance information on about 80 servers so far. We have about 180 more to go before we are finished setting up the universal forwarders on all of the windows boxes. My question is the hardware layout. Our plan is to use two separate hardware servers for indexers (one indexer per location PA and NY) and use one additional server as a dedicated search head\deployment server.
Is this the best way to set it up for quick searches? Or is there a better way of doing it?
We expect to recieve about 12GB's a day when all is said and done.

Thanks for you advice!!

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-19-2011 12:40 AM

This seems like a reasonable setup, i.e. it does not look like you'll be running into any performance problems if you follow the recommended hardware specs.

There are a few questions you should consider:

1) Will the forwarders load balance between the indexers, or just send to the local one? WAN capacity can be a scarce resource, but for maintenance purposes it might be good to be able to stop/restart indexers without interruptions to the log gathering.

2) Where should you place the search head/deployment server? Assuming you have just the two sites you mention, I'd say you put it where you'd have the majority of search users. If this is also the site that has the most deployment clients - good. Even though the traffic between forwarders and the DS is frequent, it is seldom intense, so it shouldn't really be a problem to manage forwarders at a remote site.

3) Consider setting up a dedicated host for all scheduled jobs. If you know that you'll want a lot of scheduled searches, consider having a dedicated host for this purpose. With cron scheduling you can set up a lot of searches that do not necessarily have to compete for resources. Remenber that users can search directly from the indexers as well.

hope this helps,

Kristian

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...