Deployment Architecture

Is SAN or local storage preferable when building a search head cluster?


We want to build a search head cluster. May I know which storage is preferable: SAN or local drive? And why?

0 Karma

Super Champion

Splunk Capacity documentation speaks about the "minimum" spec. In reality , what I have seen is Search Head is used in great extend if you have lot of TA's/addons and premium products like Enterprise Security. All these search time extractions will be run during every search, thus my view is to have "local" storage as much as possible

  • Indexer : hot data in Local or extremeIO SAN
  • Indexer: cold data in NAS
  • Indexer: /opt/splunk installation in local storage
  • SH: local storage for /opt/splunk installation
0 Karma

Splunk Employee
Splunk Employee

@ankithreddy777 - Did the answer provided by gokadroid provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma


Storage choices always should be decided on the IOPS required for a particular Splunk Component you are devising. For example there will be no use of having a slower IOPS local storage when a SAN setup has a higher IOPS or (Random seeks or better latency values than local storage).

Since Search Head setup is more CPU and memory bound hence those factors should be of prime consideration. Here are the reference values and link:

**Dedicated search head**

 Intel 64-bit chip architecture
 16 CPU cores at 2Ghz or greater speed per core.
 2 x 300GB, 10,000 RPM SAS hard disks, configured in RAID 1
 A 1Gb Ethernet NIC, optional 2nd NIC for a management network
 A 64-bit Linux or Windows distribution

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.