Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Resource estimation

mahsa_nvd
Loves-to-Learn Lots
3 weeks ago

Hi everyone,

We're planning a new Splunk deployment and considering three different scenarios (Plan A and B) based on daily ingestion and data retention needs. I would appreciate it if you could review the sizing and let me know if anything looks misaligned or could be optimized based on Splunk best practices.
🔹 Overview of each plan:
Plan A:
Daily ingest: 2.0TB
Retention: same
10 Indexers
3 Search Heads
2 ES Search Heads
CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes
Plan B:
Daily ingest: 2.6TB
Retention: same
13 Indexers
3 Search Heads
3 ES Search Heads
CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes

As I told Each plan includes CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes.

🔹 Example specs per Indexer (Plan C):
Memory: 128GB
vCPU: 96 cores
Disk: 500GB OS SSD + 6TB hot SSD + 30TB cold HDD + 11TB frozen (NAS)
----------------------------------------
🔍 What I'm looking for:
Are these hardware specs reasonable per Splunk sizing guidelines?
Is the number of indexers/search heads appropriate for the daily ingest and retention?
Any red flags or over/under-sizing you would call out?

Thanks in advance for your insights!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Well, it all depends on your utilization really. The rule of thumb is that a single indexer can handle up to 300GB/day if not running premium apps (ES or ITSI) or 100 GB/day if running ES or ITSI. Actually a single indexer can index way way more daily if it doesn't do any searching. Since you're using ES there's probably gonna be a lot of searching (if not for any other reason, just for keeping datamodel summaries up to date). So one indexer per 200GB might be or not too small, depending on your actual load.

You're pushing quite a lot of hardware for the indexers whereas normally you'd rather want to have more indexers than bigger ones. More CPUs mean you could add ingestion pipelines but - especially if reaching for cold data - you might starve your indexers from I/O performance since you will have potential for many concurrent searches competing for I/O resources.

It's also not clear for me how is this NAS frozen spacd supposed to work. Is it a shared space or do you want to have dedicated share for each indexer? Remember that each indexer freezes buckets independently so unless you script it to keep the storage "tidy" you'll end ul with multiple copies of the same frozen bucket.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...