Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I set up a couple of VMs on Azure?

danielbb
Motivator
‎11-29-2024 12:14 PM

We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure.

They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder.

Any thoughts?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2024 02:08 AM

Hi @danielbb ,

as also @richgalloway said, there are more parameters that you have to consider:

data volume, HA or not HA, number of users and scheduled searches, etc...

My first hint is to engage a Splunk Certified Architect or a Splunk Professional Services to design your architecture.

You could find some ideas at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf

E.g.: having only one Indexer, there's no requirements for a Cluster Manager and you can put the License manager on the same Indexer; the Cluster manager is required if you have HA requirements and you have at least two Indexers.

About the HF, it depends on many factors:

where are located your Meraki servers, on premise or in Cloud?

if on-premise it's a best practice to have a concentrator between devices and Indexers, anyway, you could also put (it isn't a best practice) the syslog receiver on the Indexers.

Then how Meraki sends logs? if by syslog, you should configure an rsyslog server or SC4S on a dedicated server.

As I said, I hint to engare a Splunk Certified Architect.

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2024 12:32 PM

We need more information.  How data will be ingested each day?  How long will that data be retained?  How much searching will the system perform?

If you have a single indexer then there is no need for a Cluster Manager (f.k.a. Cluster Master) and the search head can serve as the License Manager on such a small system.  If larger ingest amounts and for better search performance, multiple indexers may be needed, which call for a Cluster Manager.

Syslog data should not sent directly to a Splunk process.  Instead, send it to a dedicated syslog server (rsyslog or syslog-ng) and write it to disk.  Have a Splunk Universal Forwarder monitor the disk and forward the data to the indexer(s).

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...