- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Recommendations and advice for deployment
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Recommendations and advice for deployment
I've been testing Splunk locally. Now Im planning to bring it to test in a larger environment. i'm posting this for some advice and recommendations.
I'm using Splunk to collect logs (5 kinds) from various places and machines. We already have a system in place that collects all this logs in the same place (server).
1) Where should i deploy Splunk?
Splunk is used to monitor and generate hourly logs. We expect only a small team of users that monitor and brush up on the various possible reports possible while the other users will generally rely on the reports generated.
I'm not sure if Splunk shud be deloyed with the server or a forwarder be necessary to forward to a local PC for the 'team' to access.
2) Will a single Indexer be enough?
We are looking at daily logs of up to 1gig from a single location (from a total up to 10 locations). Since we have an earlier setup that forwards this data to a server. Is a forwarder necessary at this stage?
This data amounts to up to: 50 gig of data weekly. which leads to..
3) If a single PC is used for searches etc.
Will it result in a severe slowdown in terms of memory utilization by the search head?
Thanks for taking your time to help me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are my personal suggestions, but there are many ways to accomplish this with Splunk:
"We already have a system in place that collects all this logs in the same place (server)."
Because you already have the logs collected in one place, your job could be relatively simple. Ten GB of data per day is pretty minimal for Splunk, so you only need one Splunk indexer. This indexer will also be your search head - there is no need for a separate system for the search head.
IF you have good disk i/o speed and the log server is not very busy, you might simply install your Splunk indexer on the log server. However, Splunk will want some significant resources to run well - most notably, the Splunk indexer should be located on hardware that can perform 800 I/Os per second (IOPS). If the log server is already pretty busy, put the Spunk indexer somewhere else, and put a Splunk forwarder on the log server.
I would worry about disk I/O speed first, and worry about memory second. Splunk indexers are usually I.O bound, if they are having a performance problem/
Take a careful look at the first 20 pages or so of the Installation Manual. There is is lot of good information there about sizing Splunk and the various topology options.
If you are "scaling up," you don't want to run Splunk on a PC. Run it on commodity hardware, but at least give it the minimum recommended in the manual.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
