Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Recommendations for OS partitions, mount points and RAID configuration for linux servers

amruthamkumar
Observer
‎08-26-2024 09:57 AM

planning to deploy a splunk architecture with one SH and indexer cluster with 100GB/day data ingestion. Are there any recommendation documentations for OS partitions (paths with size), mount points and RAID configuration for linux servers.

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2024 07:09 AM

Some general recommendations:

  • Keep the OS, $SPLUNK_HOME, and $SPLUNK_DB on separate mount points
  • Don't use NFS
  • Avoid RAID 0
  • Use a supported file system
  • Partition size depends on the instance type and the amount of data to be stored.  300GB is recommended for non-indexers.  Indexer storage needs depend on index retention, replication, and use of SmartStore.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 08:20 AM

Well... One could argue about the "don't use RAID0" (which actually isn't a RAID because there is no redundancy) since with RF>1 you provide redundancy at the whole cluster's level. But that's something we could debate long over a beer if I ever go to .conf 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2024 09:56 AM

I try to avoid RAID0 because loss of a single disk takes down the entire array.  I won't be bitten by that again.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 10:35 AM

Of course. With a single disk installation a single disk also takes down whole machine 😉

But seriously - it's just a matter of risk and cost management. Some users can accept the risk of the whole machine going down knowing that the machine is cheaper (and possibly a bit faster). But I agree, the storage is relatively cheap nowadays.

One important caveat: I'm of course talking about components which are replicated (indexers, search heads). You probably don't want a RAID0-based machine as CM.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...