Re: Recommendations for OS partitions, mount point...

amruthamkumar

planning to deploy a splunk architecture with one SH and indexer cluster with 100GB/day data ingestion. Are there any recommendation documentations for OS partitions (paths with size), mount points and RAID configuration for linux servers.

richgalloway

Some general recommendations:

Keep the OS, $SPLUNK_HOME, and $SPLUNK_DB on separate mount points
Don't use NFS
Avoid RAID 0
Use a supported file system
Partition size depends on the instance type and the amount of data to be stored. 300GB is recommended for non-indexers. Indexer storage needs depend on index retention, replication, and use of SmartStore.

---
If this reply helps you, Karma would be appreciated.

PickleRick

Well... One could argue about the "don't use RAID0" (which actually isn't a RAID because there is no redundancy) since with RF>1 you provide redundancy at the whole cluster's level. But that's something we could debate long over a beer if I ever go to .conf 🙂

richgalloway

I try to avoid RAID0 because loss of a single disk takes down the entire array. I won't be bitten by that again.

---
If this reply helps you, Karma would be appreciated.

PickleRick

Of course. With a single disk installation a single disk also takes down whole machine 😉

But seriously - it's just a matter of risk and cost management. Some users can accept the risk of the whole machine going down knowing that the machine is cheaper (and possibly a bit faster). But I agree, the storage is relatively cheap nowadays.

One important caveat: I'm of course talking about components which are replicated (indexers, search heads). You probably don't want a RAID0-based machine as CM.

Recommendations for OS partitions, mount points and RAID configuration for linux servers

capacity planning

indexer clustering

Linux

Monitoring Postgres with OpenTelemetry

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor