Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hardware sizing for Accelerate data models-- Is there a tool that helps in sizing a server?

linspec9721
Explorer
‎09-15-2022 08:07 AM

Hello folks,

there is a tool that helps in sizing a server that will work with accelerate data models ?

Or wich is the best way to achieve that goal?

It seams that splunk base configuration 12cpu/12gb of ram is not enoght.

Thank you all.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 10:37 PM

Hi @linspec9721,

in this case the hardware reference starts from the minimum you know (12 CPUs and 12 RAM) and groths if you have many users and/or many scheduled searches (e.g. if you have Splunk Security Essentials App).

My hint is to start with the hardware reference and monitor your Splunk environment to see if there are peaks that require more resources:

  • if you're using a virtual environment isn't a problem to add more resources,
  • if instead you have a physical environment you should make a test period to understand your load, and anyway you can scalate your architetture adding other machines or you could start with an enlarged configuration.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 08:18 AM

Hi @linspec9721,

the storage required for accelerated Data Model, for one year is around

data indexed per day * 3.4

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

linspec9721
Explorer
‎09-15-2022 08:35 AM

Hello @gcusello.

And regarding CPU and RAM sizing? Default 12/12 configuration it seems not enought.

Thank you.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 08:40 AM

Hi @linspec9721,

are you speaking of ES or ITSI?

in these cases there are different configurations.

If instead you're speaking of Splunk Enterprise, the CPUs and RAM depend on the users, datamodel acceleration shouldn't give problems, obviously if you have many users that use datamodels, you need more resources.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

linspec9721
Explorer
‎09-15-2022 09:10 AM

Hello @gcusello ,

I was speaking about Enterprise version.

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2022 10:37 PM

Hi @linspec9721,

in this case the hardware reference starts from the minimum you know (12 CPUs and 12 RAM) and groths if you have many users and/or many scheduled searches (e.g. if you have Splunk Security Essentials App).

My hint is to start with the hardware reference and monitor your Splunk environment to see if there are peaks that require more resources:

  • if you're using a virtual environment isn't a problem to add more resources,
  • if instead you have a physical environment you should make a test period to understand your load, and anyway you can scalate your architetture adding other machines or you could start with an enlarged configuration.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...