Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is SAN or local storage preferable when building a search head cluster?

ankithreddy777
Contributor
‎01-18-2017 09:08 AM

We want to build a search head cluster. May I know which storage is preferable: SAN or local drive? And why?

0 Karma
Reply

koshyk
Super Champion
‎01-23-2017 12:11 PM

Splunk Capacity documentation speaks about the "minimum" spec. In reality , what I have seen is Search Head is used in great extend if you have lot of TA's/addons and premium products like Enterprise Security. All these search time extractions will be run during every search, thus my view is to have "local" storage as much as possible

  • Indexer : hot data in Local or extremeIO SAN
  • Indexer: cold data in NAS
  • Indexer: /opt/splunk installation in local storage
  • SH: local storage for /opt/splunk installation
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-22-2017 06:31 PM

@ankithreddy777 - Did the answer provided by gokadroid provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

gokadroid
Motivator
‎01-18-2017 09:17 AM

Storage choices always should be decided on the IOPS required for a particular Splunk Component you are devising. For example there will be no use of having a slower IOPS local storage when a SAN setup has a higher IOPS or (Random seeks or better latency values than local storage).

Since Search Head setup is more CPU and memory bound hence those factors should be of prime consideration. Here are the reference values and link:

**Dedicated search head**

 Intel 64-bit chip architecture
 16 CPU cores at 2Ghz or greater speed per core.
 12GB RAM
 2 x 300GB, 10,000 RPM SAS hard disks, configured in RAID 1
 A 1Gb Ethernet NIC, optional 2nd NIC for a management network
 A 64-bit Linux or Windows distribution

http://docs.splunk.com/Documentation/Splunk/6.5.1/Capacity/Referencehardware#Reference_host_specific...

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...