Deployment Architecture

Indexer on RAID 0

hectorvp
Communicator

Hi Splunkers,

Our customer is demanding to reduce cost on infra with storage aspects on indexers.

Initially we had provided RAID 10 configurations (as per Splunk recommendations), but ,now we are moving forward with RAID 0 configuration as it will halve our storage requirement and will provide good IOPS atleast.

Is anyone using RAID 0 on prods for indexers?

I managed few with reducing on data retention policy....we have estimated 400 GB of daily ingestion by 400UFs.

Indexer cluster with 2 indexers. And 1 search head....we may not have more than 2 users on search head and limit amount of searching (mostly scheduled searches?

Infra service provider are providing some integrated disk backup to the indexers, this where I will currently be investigating about what exactly are they using as disk backup.  

I doubt if we can request to provide RAID 10 for hot and warm and RAID0 of cold... this is what again worrying me right now.

But can anyone let me know if they are using successfully RAID 0 for indexers on prod?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

I usually avoid to use RAID0 because there are two risks:

  • to lose data,
  • stop the service,

first proble is usually solved with the the second Indexer and Forwarders Cache; but, if there's a problem on one disk of Indexer1, until this issue is solved (and probably on physical Inders it isn't a problem of five minutes!), you have only indexer2 running so you're working without parachute! 

Maybe you could try to store cold buckets on a slower storages or reduce retention, but I don't like RAID!

Ciao.

Giuseppe

View solution in original post

hectorvp
Communicator

Thanks @gcusello ,

Understood with this part,

I've another thought to save budget on infra would be clubbing DS and search head on single box, since we dont have much aggressive searching, hardly 2 users so this may work. And currently DS will support 400 UFs and future upto 1000.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

sorry again for a new negative answer: Deployment Server must be on a dedicated server when it has to manage more than 50 clients (https://docs.splunk.com/Documentation/Splunk/8.1.0/Updating/Planadeployment#Deployment_server_system...).

I understand that your Search Head isn't much used but DS works very hardly when it must manage many clients.

Same thing for Search Head it isn't a good idea to share the same server with other roles (as Master Node).

Ciao.

Giuseppe

hectorvp
Communicator

Thanks @gcusello , we've decided to keep all on different boxes.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

I usually avoid to use RAID0 because there are two risks:

  • to lose data,
  • stop the service,

first proble is usually solved with the the second Indexer and Forwarders Cache; but, if there's a problem on one disk of Indexer1, until this issue is solved (and probably on physical Inders it isn't a problem of five minutes!), you have only indexer2 running so you're working without parachute! 

Maybe you could try to store cold buckets on a slower storages or reduce retention, but I don't like RAID!

Ciao.

Giuseppe

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...