Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Hardware Requirements for 30GB/Day

rami1918
Engager
‎03-10-2021 09:51 PM

Hi,

We are planning to move our Splunk environment to our Nutanix infrastructure. We expect our collected logs to be 20-30 GB/Day and Splunk is mainly used as a SIEM solutions where around 4 users are accessing concurrently

We had some internal discussions, and I wanted to understand if we can use less resources than the mentioned below to run Splunk+ES, and if any one is running a similar setup can share the used hardware specs

Search head 24vCPU, 32GB
ES search head 24vCPU, 32GB
Indexer 24vCPU, 32GB
License + Deployment 12vCPU, 16GB

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2021 11:45 PM

Hi @rami1918,

the minimum requirent6es for Enterprise Security installation is:

Search head16 cores32GB
Indexer16 cores32GB

As you can see at https://docs.splunk.com/Documentation/ES/6.5.0/Install/DeploymentPlanning

But I hint to use more CPUs especially if you have to enable many scheduled searches, so I think that it's better to use the configuration you proposed.

Eventually you could reduce RAM for the Deployment Server to 12 GB and analyze the Apps to install in the other Search Head to understand if you can reduce something in that installation, but don't reduce ES Search Head and Indexer.

Maintaining the same use of CPUs probably (you can understand this only after the analysis I hinted) it's better to reduce the CPUs and RAM on the first Search Head and put those resources in the ES Search Head and Indexer.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

rami1918
Engager
‎03-15-2021 05:57 AM

Thanks,

I wanted to clarify one more thing. Our vendor is providing us the CPU with 3.2 GHz, I have reviewed one document for Splunk stating that the requirements is 2 GHz. Will this reduce the amount of required cores?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-15-2021 06:35 AM

Hi @rami1918,

No I don't think!

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2021 11:45 PM

Hi @rami1918,

the minimum requirent6es for Enterprise Security installation is:

Search head16 cores32GB
Indexer16 cores32GB

As you can see at https://docs.splunk.com/Documentation/ES/6.5.0/Install/DeploymentPlanning

But I hint to use more CPUs especially if you have to enable many scheduled searches, so I think that it's better to use the configuration you proposed.

Eventually you could reduce RAM for the Deployment Server to 12 GB and analyze the Apps to install in the other Search Head to understand if you can reduce something in that installation, but don't reduce ES Search Head and Indexer.

Maintaining the same use of CPUs probably (you can understand this only after the analysis I hinted) it's better to reduce the CPUs and RAM on the first Search Head and put those resources in the ES Search Head and Indexer.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...