Deployment Architecture

How to determine hard drive disk space sizing for the search head?

kiril123
Path Finder

Hello,

We are adding a search head server and I am trying to work out how much HDD space will be required. My understanding is that indexers require the largest amount of HDD space as they index and store the data. What about a search head? We are planning to run a lot of scheduled searches and summary indexes.

1 Solution

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...