For a 100% Virtual Environment:
I am planning to deploy Splunk 6.5 under Linux RHEL 7.2 in a Distributed Search Architecture. My indexers are going to be clustered with the Splunk application. I am performing capacity planning for HOT/COLD buckets at each indexer. I will have two NON-Clustered Search Heads .
For both Search Heads, do I need to apply the same HOT/COLD bucket principle or can I just assign a local disk as part of the VMDK for storage?
I will appreciate any feedback,
Thanks,
Jordi
As long as you're forwarding data from your search heads to your indexers as described in http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata you'll be fine assigning storage as you would any other app server. The things that use space on the search head, such as search results, don't have the concept of hot/cold.
If you choose not to forward data from the search head, you'll end up with at least the internal indexes including _internal and _audit on your search head, plus any summary indexes you create. You might need to manage hot/cold on your search head if you take that approach.
As long as you're forwarding data from your search heads to your indexers as described in http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata you'll be fine assigning storage as you would any other app server. The things that use space on the search head, such as search results, don't have the concept of hot/cold.
If you choose not to forward data from the search head, you'll end up with at least the internal indexes including _internal and _audit on your search head, plus any summary indexes you create. You might need to manage hot/cold on your search head if you take that approach.
Thank you jtacy, I will forward it to the indexers, since it has several advantages. Therefore I can simply create a regular local disk for the Linux OS. Is there a minimum HDD size for search heads recommended by Splunk?
Looks like Splunk posted a recommendation from the docs, but your actual usage will mostly vary depending on the type of searches people run and how long the results are retained. I've gotten away with much less than the recommendation but users can burn a lot of disk rapidly if their Splunk roles have liberal quotas. Regardless of the size you choose, I would make sure to have disk space monitoring in place before your go-live. This is already the norm on RHEL, but I would also make sure to use LVM on all file systems where Splunk lives so you can easily expand. Have fun, it's going to be great!
See http://docs.splunk.com/Documentation/Splunk/6.5.0/Capacity/Referencehardware#Dedicated_search_head
for the recommended configuration.