Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If I cluster do I need RAID?

robertlynch2020
Motivator
‎02-19-2020 06:45 AM

Hi

we are about to move from single install to cluster Install on 3 machines (1 search head and 3 indexers) and we are getting SSD.

As SSD is expensive, do we need to add on RAID as well?

Thanks in Advance
Rob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-19-2020 07:01 AM

Hi @robertlynch2020,
at first to have an Indexer Cluster you need also an additional server called Master Node that manages cluster and cannot be neither Search Head or Indexer.

About SSD you should read https://www.splunk.com/en_us/blog/tips-and-tricks/quantifying-the-benefits-of-splunk-with-ssds.html and https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware .
Sequential write performance on SSD vs SAS is pretty similar so no real benefit for Splunk on an SSD here.

Anyway I didn't see any Splunk installation without RAID0 on system disks and RAID1+0 on data disks.
Eventually you could think to have fast disks for hot and warm buckets and slower disks for cold buckets.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎02-19-2020 07:58 AM

Hi

Thanks for this, so we are looking to go for RAID 5 on SSD.

So after reading the document i get the feeling SSD vs. SAN

Write: Is the same
Read sequential: Is the same
Read Sparc: Is much better

Most of our data is in datamodels, so i am not sure if that also make a difference?
At the moment the current install is on SSD, so i am a bit nervous from moving back to SAN!

Thanks
Robert

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-19-2020 07:01 AM

Hi @robertlynch2020,
at first to have an Indexer Cluster you need also an additional server called Master Node that manages cluster and cannot be neither Search Head or Indexer.

About SSD you should read https://www.splunk.com/en_us/blog/tips-and-tricks/quantifying-the-benefits-of-splunk-with-ssds.html and https://docs.splunk.com/Documentation/Splunk/8.0.2/Capacity/Referencehardware .
Sequential write performance on SSD vs SAS is pretty similar so no real benefit for Splunk on an SSD here.

Anyway I didn't see any Splunk installation without RAID0 on system disks and RAID1+0 on data disks.
Eventually you could think to have fast disks for hot and warm buckets and slower disks for cold buckets.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-19-2020 08:05 AM

Never RAID 5 because is slower than RAID1+0!
Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎02-21-2020 02:30 AM

Hi

Thanks for the info, at the moment Splunk is on RAID 5 and the performance is good, but i will hopefully be able to take your advice for the future.

Rob

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...