Deployment Architecture

I want to design a disitributed splunk architecture and need to know system requirements for components

lostcauz3
Path Finder

Hi, I'm trying to design a distributed architecture of Splunk for my company, and I need to pitch the design to them. I need to know the total number of servers required and each system's specifications. 

 

How can I start with this? I have little knowledge of splunk admin parts mainly because I am a developer.

 

Users/day can be less than 1000 and the indexing volume should be around 5 GB/day. 

 

Can anyone please recommend something where to start?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @lostcauz3 ,

this is a job for a Splunk Certified Architect, not for the Community and I'd avoid to design a distributed architecture with the low knowledge that you said to have.

Anyway, there are many information required:

  • is HA required at data level (indexer Cluster)?
  • is HA required at presentation level (Search Head Cluster)?
  • do you need to use Premium apps as ES or ITSI?
  • have you Universal Forwarders to manage? if yes, how many?
  • what's the retention of your data?
  • can you confirm 5 GB/day of daily indexed data?
  • how many concurrent users do you think to have (1000 are probably too many!)?

Anyway, you can find information about the validated Splunk architectures in the document https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf

About hardware reference, you can see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Referencehardware

Ciao.

Giuseppe

View solution in original post

lostcauz3
Path Finder

Hi @gcusello,  Thank you for your valuable feedback, indeed I'm not an architect but thanks for the pointers I will go through them.

I have one more question, If we are going with a new environment in splunk is it ideally best to go with the latest version? 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lostcauz3 ,

good for you, see next time!

yes, I always use the latest version of Splunk.

Only one additional information, as also @PickleRick said, check your volume requirements, because 5 GB/day and 1000 users are strange numbers: 5 GB/day is a very small intallation, that usually doesn't require a distributed arcitecture, but 1000 users are a number of a very large and complex infrastructure.

Closing: see and follow the Splunk Architect Certification path (if you have time), or engage a Certified Splunk Partner for your design and implementation.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As to whether to use the latest version... well, that's a bit more complicated.

As a rule of thumb - yes. Latest versions should contain fixes, vulnerability patches and possibly new functionalities. But in specific cases you might have unusual needs regarding compatibility or particular bugs being (not) present in some versions.

So again - it's not as straightforward as it would seem. In a newly installed environment I'd probably go for the latest version (possibly with exception of the x.y.0 versions and maybe x.y.1 as well) but later... I would definitely _not_ rush to upgrade whole environment every time version x.y.z+1 comes out.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

This is something typically a Splunk Partner does for you - depending on your needs an architect from the partner's side should design a proper environment for your particular situation.

As a side note - 5GB/day (unless you have a very unusual use case which requires a lot of processing) is a relatively small installation and often can be done using a single server (but that is not what I would recommend without seeing the whole picture so don't quote me on that ;-)).

Also as @gcusello mentioned - that 1000 users value is either completely off if we're talking about Splunk users or is completely irrelevant if we're talking about users in your overall environment.

Long story short - contact your local friendly Splunk Partner for assistance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lostcauz3 ,

this is a job for a Splunk Certified Architect, not for the Community and I'd avoid to design a distributed architecture with the low knowledge that you said to have.

Anyway, there are many information required:

  • is HA required at data level (indexer Cluster)?
  • is HA required at presentation level (Search Head Cluster)?
  • do you need to use Premium apps as ES or ITSI?
  • have you Universal Forwarders to manage? if yes, how many?
  • what's the retention of your data?
  • can you confirm 5 GB/day of daily indexed data?
  • how many concurrent users do you think to have (1000 are probably too many!)?

Anyway, you can find information about the validated Splunk architectures in the document https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf

About hardware reference, you can see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Referencehardware

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...