Hi,
I'm having to deploy Splunk for the very first time having never worked with it before and struggling to understand some of the basic architecture.
I have been tasked to setup Splunk ES and UBA for what will be a maximum of 20 users, a handful of forwarders and currently 6 data sources (expanding to 10).
1st question I wanted to ask is related to UBA, if I setup a single master node to begin with, can I expand that later down the line to 3 nodes? (to cater for the 10 data sources) and is there anything I need to be aware of before doing so, to take this into consideration for the future when the remaining data sources come online?
I am now going to ask a daft question - in the topology of a small enterprise deployment, does a indexer equate to a single server with an instance of Splunk Enterprise?
For our setup , how do I determine the number of indexers required? Can someone just explain to me the number of physical servers (VM's) required in this type of scenario, it would be of great help?
Appreciate any help in my understanding of this as I am losing sleep over it.
Your question is reasonable for a newbie. Yes, an indexer is an instance of Splunk installed on a server.
What I find daft is that your task master thought it reasonable to assign this to someone who knows nothing about Splunk. Normally, installing ES is a 3-week Professional Services engagement. UBA is additional. While a DIY installation is possible by someone familiar with Splunk I would not expect someone new to be successful at it. Given the cost of ES, it really makes sense to bring in an expert to get it right the first time. I'm surprised Splunk did not include PS time in the sale of ES.
I don't know enough about UBA to answer questions about it.
The number of indexers you need is based on the amount of data you will be ingesting. For ES installations, Splunk recommends 80-100 GB/day/indexer. That accounts for indexing incoming data as well as performing searches on that data.