Deployment Architecture

Deployment hardware question.


We are using splunk for our alerting, log collection and performance information on about 80 servers so far. We have about 180 more to go before we are finished setting up the universal forwarders on all of the windows boxes. My question is the hardware layout. Our plan is to use two separate hardware servers for indexers (one indexer per location PA and NY) and use one additional server as a dedicated search head\deployment server.
Is this the best way to set it up for quick searches? Or is there a better way of doing it?
We expect to recieve about 12GB's a day when all is said and done.

Thanks for you advice!!

Tags (1)
0 Karma

Ultra Champion

This seems like a reasonable setup, i.e. it does not look like you'll be running into any performance problems if you follow the recommended hardware specs.

There are a few questions you should consider:

1) Will the forwarders load balance between the indexers, or just send to the local one? WAN capacity can be a scarce resource, but for maintenance purposes it might be good to be able to stop/restart indexers without interruptions to the log gathering.

2) Where should you place the search head/deployment server? Assuming you have just the two sites you mention, I'd say you put it where you'd have the majority of search users. If this is also the site that has the most deployment clients - good. Even though the traffic between forwarders and the DS is frequent, it is seldom intense, so it shouldn't really be a problem to manage forwarders at a remote site.

3) Consider setting up a dedicated host for all scheduled jobs. If you know that you'll want a lot of scheduled searches, consider having a dedicated host for this purpose. With cron scheduling you can set up a lot of searches that do not necessarily have to compete for resources. Remenber that users can search directly from the indexers as well.

hope this helps,


0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...