Deployment Architecture
Highlighted

Is anyone using RAID 0 with index replication for redundancy?

Super Champion

With the newer index replication feature (introduced in Splunk 5, which is noticeably more polished in Splunk 6), has anyone attempted to move away from the more traditional RAID 1+0 approach and instead move to RAID 0 and rely on the index replication feature for redundancy?

I've been attempting to think through various pros/cons but would like to get the insights of the community, especially anyone who is actually using this technique.

Highlighted

Re: Is anyone using RAID 0 with index replication for redundancy?

SplunkTrust
SplunkTrust

I am not doing it, but it is an interesting idea. You would certainly still want certain things (OS, /opt/splunk, etc) to remain on RAID protected storage. But if your RAID0 is dedicated to buckets and buckets alone it seems workable.

I think before I went down this road I would carefully look at what winds up in /opt/splunk/var/lib/splunk and make sure I (and Splunk) was willing to part with it. I assume summary indexing would be fine with this, but how does affect (say) search acceleration data? Is this replicated as well, or what?

Highlighted

Re: Is anyone using RAID 0 with index replication for redundancy?

Super Champion

I agree about mirroring the OS and core Splunk install. A single pair of RAID 1 disks should do. I wasn't primarily concerned about the summary or data model acceleration stuff, but that's a good point. I think Splunk will just recreate it, but I can't say I fully understand how that works in the normal data replication case; Clustered or not, all the speed up stuff is certainly making disk usage planning more interesting: http://answers.splunk.com/answers/115315/how-can-an-indexer-best-utilize-a-combination-of-ssdhdd-sto...

0 Karma