I have gone through the Capacity planning document and derived my Splunk server configurations based on the requirement.
I have two search heads and two indexers each in two sites with multisite indexer clustering and search head clustering. Total I have 4 search heads, 1 Search head deployer, 4 indexers, 1 masternode and 1 deployment server.
Somewhere I read in Splunk documentation that, for search head and indexer clustering environments, we should have all the server configurations be identical, but am not able to recollect the document name.
Can any one please confirm, whether we required all the server configurations identical if we are going with search head and indexer clustering?
Based on my own work with these two technologies, keeping slightly different indexer configurations seems possible, but I can't imagine any reason you'd want to, outside of migrating a legacy non-clustered indexer into a cluster. For search heads, I wouldn't even attempt such.
We have two search heads and two indexers each in search head & Index clustering with two sites. We have totally 4 search heads and 4 indexers, 1 masternode, 1 deployer and 1 deployment server as per our design.
We are planning to provision our servers in AWS cloud so we would like to know the Server configuration with which we have to go with for the below requirement.
Concurrent users: 25
Saved Searched: 15
Licensing model : 100GB/day
Site replication factor: origin:2, site1:1, total:3
So long as the AWS instances meet the minimum hardware requirements from Splunk, that configuration should easily handle 100GB, and still allow you to grow your license volume at least 2x, and possibly 3-4x assuming you are using forwarders to distribute to all the indexers in a given site or monitoring files. Using UDP or TCP listener on an indexer has a serious negative impact on performance. If you need to run such a listener, stand up a forwarder for it (HF or UF).