planning to deploy a splunk architecture with one SH and indexer cluster with 100GB/day data ingestion. Are there any recommendation documentations for OS partitions (paths with size), mount points and RAID configuration for linux servers.
Some general recommendations:
Well... One could argue about the "don't use RAID0" (which actually isn't a RAID because there is no redundancy) since with RF>1 you provide redundancy at the whole cluster's level. But that's something we could debate long over a beer if I ever go to .conf 🙂
I try to avoid RAID0 because loss of a single disk takes down the entire array. I won't be bitten by that again.
Of course. With a single disk installation a single disk also takes down whole machine 😉
But seriously - it's just a matter of risk and cost management. Some users can accept the risk of the whole machine going down knowing that the machine is cheaper (and possibly a bit faster). But I agree, the storage is relatively cheap nowadays.
One important caveat: I'm of course talking about components which are replicated (indexers, search heads). You probably don't want a RAID0-based machine as CM.