Deployment Architecture

How to determine hard drive disk space sizing for the search head?

kiril123
Path Finder

Hello,

We are adding a search head server and I am trying to work out how much HDD space will be required. My understanding is that indexers require the largest amount of HDD space as they index and store the data. What about a search head? We are planning to run a lot of scheduled searches and summary indexes.

1 Solution

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>