Hi, I'm trying to design a distributed architecture of Splunk for my company, and I need to pitch the design to them. I need to know the total number of servers required and each system's specifications.
How can I start with this? I have little knowledge of splunk admin parts mainly because I am a developer.
Users/day can be less than 1000 and the indexing volume should be around 5 GB/day.
Can anyone please recommend something where to start?
Hi @lostcauz3 ,
this is a job for a Splunk Certified Architect, not for the Community and I'd avoid to design a distributed architecture with the low knowledge that you said to have.
Anyway, there are many information required:
Anyway, you can find information about the validated Splunk architectures in the document https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf
About hardware reference, you can see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Referencehardware
Ciao.
Giuseppe
Hi @gcusello, Thank you for your valuable feedback, indeed I'm not an architect but thanks for the pointers I will go through them.
I have one more question, If we are going with a new environment in splunk is it ideally best to go with the latest version?
Hi @lostcauz3 ,
good for you, see next time!
yes, I always use the latest version of Splunk.
Only one additional information, as also @PickleRick said, check your volume requirements, because 5 GB/day and 1000 users are strange numbers: 5 GB/day is a very small intallation, that usually doesn't require a distributed arcitecture, but 1000 users are a number of a very large and complex infrastructure.
Closing: see and follow the Splunk Architect Certification path (if you have time), or engage a Certified Splunk Partner for your design and implementation.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
As to whether to use the latest version... well, that's a bit more complicated.
As a rule of thumb - yes. Latest versions should contain fixes, vulnerability patches and possibly new functionalities. But in specific cases you might have unusual needs regarding compatibility or particular bugs being (not) present in some versions.
So again - it's not as straightforward as it would seem. In a newly installed environment I'd probably go for the latest version (possibly with exception of the x.y.0 versions and maybe x.y.1 as well) but later... I would definitely _not_ rush to upgrade whole environment every time version x.y.z+1 comes out.
This is something typically a Splunk Partner does for you - depending on your needs an architect from the partner's side should design a proper environment for your particular situation.
As a side note - 5GB/day (unless you have a very unusual use case which requires a lot of processing) is a relatively small installation and often can be done using a single server (but that is not what I would recommend without seeing the whole picture so don't quote me on that ;-)).
Also as @gcusello mentioned - that 1000 users value is either completely off if we're talking about Splunk users or is completely irrelevant if we're talking about users in your overall environment.
Long story short - contact your local friendly Splunk Partner for assistance.
Hi @lostcauz3 ,
this is a job for a Splunk Certified Architect, not for the Community and I'd avoid to design a distributed architecture with the low knowledge that you said to have.
Anyway, there are many information required:
Anyway, you can find information about the validated Splunk architectures in the document https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf
About hardware reference, you can see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Capacity/Referencehardware
Ciao.
Giuseppe