Deployment Architecture

Guidance on how to estimate impact on Splunk deployment to suit client request

pjb2160
Path Finder

I am keen to get an idea on some best practice for how to estimate impact on our Splunk deployment to suit a client request.

For example, the client might say they want real-time monitoring across multiple log sources rendered in a dashboard with other complex correlations.

The resulting question is do we need to scale our deployment to suit their specific need? It may mean minor changes to the Search Head (e.g. more cores, more memory) or it may mean we need to significantly adjust our deployment model (e.g. purchase more storage; build more Search Heads and Indexers; use a Heavy Forwarder to pre-process rather than a Universal Forwarder...).

If we do need to make such changes, it might result in a determination that the cost of updating the Splunk deployment to suit the client’s request is not commensurate with the benefit derived from the client's monitoring.

I have asked around and got some good suggestions (see dot points below) but they are after we would have spent some time trying to pull the data in, write the query, etc. I'm particularly interested in trying to make such a determination well before we get to that point. I'm sure others have experienced this many times and am hoping at least one of you out there is happy to impart some quality advice.

  • Determine time to complete query
  • Determine the burden of concurrent searches on a given search head over time

I hope this makes sense.

Cheers,
P

1 Solution

ChrisG
Splunk Employee
Splunk Employee

There is some guidance in the documentation, if you have not looked at the Capacity Planning Manual, that discusses many aspects of hardware capacity planning and scaling your deployment.

There is also an unofficial Splunk sizing web site that some people have found useful.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

There is some guidance in the documentation, if you have not looked at the Capacity Planning Manual, that discusses many aspects of hardware capacity planning and scaling your deployment.

There is also an unofficial Splunk sizing web site that some people have found useful.

pjb2160
Path Finder

Thanks @ChrisG

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...