Splunk Capacity documentation speaks about the "minimum" spec. In reality , what I have seen is Search Head is used in great extend if you have lot of TA's/addons and premium products like Enterprise Security. All these search time extractions will be run during every search, thus my view is to have "local" storage as much as possible
Indexer : hot data in Local or extremeIO SAN
Indexer: cold data in NAS
Indexer: /opt/splunk installation in local storage
@ankithreddy777 - Did the answer provided by gokadroid provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Storage choices always should be decided on the IOPS required for a particular Splunk Component you are devising. For example there will be no use of having a slower IOPS local storage when a SAN setup has a higher IOPS or (Random seeks or better latency values than local storage).
Since Search Head setup is more CPU and memory bound hence those factors should be of prime consideration. Here are the reference values and link:
**Dedicated search head**
Intel 64-bit chip architecture
16 CPU cores at 2Ghz or greater speed per core.
2 x 300GB, 10,000 RPM SAS hard disks, configured in RAID 1
A 1Gb Ethernet NIC, optional 2nd NIC for a management network
A 64-bit Linux or Windows distribution