Deployment Architecture

Indexer on RAID 0

hectorvp
Communicator

Hi Splunkers,

Our customer is demanding to reduce cost on infra with storage aspects on indexers.

Initially we had provided RAID 10 configurations (as per Splunk recommendations), but ,now we are moving forward with RAID 0 configuration as it will halve our storage requirement and will provide good IOPS atleast.

Is anyone using RAID 0 on prods for indexers?

I managed few with reducing on data retention policy....we have estimated 400 GB of daily ingestion by 400UFs.

Indexer cluster with 2 indexers. And 1 search head....we may not have more than 2 users on search head and limit amount of searching (mostly scheduled searches?

Infra service provider are providing some integrated disk backup to the indexers, this where I will currently be investigating about what exactly are they using as disk backup.  

I doubt if we can request to provide RAID 10 for hot and warm and RAID0 of cold... this is what again worrying me right now.

But can anyone let me know if they are using successfully RAID 0 for indexers on prod?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

I usually avoid to use RAID0 because there are two risks:

  • to lose data,
  • stop the service,

first proble is usually solved with the the second Indexer and Forwarders Cache; but, if there's a problem on one disk of Indexer1, until this issue is solved (and probably on physical Inders it isn't a problem of five minutes!), you have only indexer2 running so you're working without parachute! 

Maybe you could try to store cold buckets on a slower storages or reduce retention, but I don't like RAID!

Ciao.

Giuseppe

View solution in original post

hectorvp
Communicator

Thanks @gcusello ,

Understood with this part,

I've another thought to save budget on infra would be clubbing DS and search head on single box, since we dont have much aggressive searching, hardly 2 users so this may work. And currently DS will support 400 UFs and future upto 1000.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

sorry again for a new negative answer: Deployment Server must be on a dedicated server when it has to manage more than 50 clients (https://docs.splunk.com/Documentation/Splunk/8.1.0/Updating/Planadeployment#Deployment_server_system...).

I understand that your Search Head isn't much used but DS works very hardly when it must manage many clients.

Same thing for Search Head it isn't a good idea to share the same server with other roles (as Master Node).

Ciao.

Giuseppe

hectorvp
Communicator

Thanks @gcusello , we've decided to keep all on different boxes.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hectorvp,

I usually avoid to use RAID0 because there are two risks:

  • to lose data,
  • stop the service,

first proble is usually solved with the the second Indexer and Forwarders Cache; but, if there's a problem on one disk of Indexer1, until this issue is solved (and probably on physical Inders it isn't a problem of five minutes!), you have only indexer2 running so you're working without parachute! 

Maybe you could try to store cold buckets on a slower storages or reduce retention, but I don't like RAID!

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...