With the newer index replication feature (introduced in Splunk 5, which is noticeably more polished in Splunk 6), has anyone attempted to move away from the more traditional RAID 1+0 approach and instead move to RAID 0 and rely on the index replication feature for redundancy?
I've been attempting to think through various pros/cons but would like to get the insights of the community, especially anyone who is actually using this technique.
I am not doing it, but it is an interesting idea. You would certainly still want certain things (OS, /opt/splunk, etc) to remain on RAID protected storage. But if your RAID0 is dedicated to buckets and buckets alone it seems workable.
I think before I went down this road I would carefully look at what winds up in
/opt/splunk/var/lib/splunk and make sure I (and Splunk) was willing to part with it. I assume summary indexing would be fine with this, but how does affect (say) search acceleration data? Is this replicated as well, or what?
I agree about mirroring the OS and core Splunk install. A single pair of RAID 1 disks should do. I wasn't primarily concerned about the summary or data model acceleration stuff, but that's a good point. I think Splunk will just recreate it, but I can't say I fully understand how that works in the normal data replication case; Clustered or not, all the speed up stuff is certainly making disk usage planning more interesting: http://answers.splunk.com/answers/115315/how-can-an-indexer-best-utilize-a-combination-of-ssdhdd-sto...