Deployment Architecture

How to determine hard drive disk space sizing for the search head?

Path Finder

Hello,

We are adding a search head server and I am trying to work out how much HDD space will be required. My understanding is that indexers require the largest amount of HDD space as they index and store the data. What about a search head? We are planning to run a lot of scheduled searches and summary indexes.

1 Solution

Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!