Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine hard drive disk space sizing for the search head?

kiril123
Path Finder
‎06-08-2017 10:36 AM

Hello,

We are adding a search head server and I am trying to work out how much HDD space will be required. My understanding is that indexers require the largest amount of HDD space as they index and store the data. What about a search head? We are planning to run a lot of scheduled searches and summary indexes.

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-08-2017 01:36 PM

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-08-2017 01:36 PM

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...