Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Resource estimation

mahsa_nvd
Loves-to-Learn Lots
‎04-29-2025 10:47 AM

Hi everyone,

We're planning a new Splunk deployment and considering three different scenarios (Plan A and B) based on daily ingestion and data retention needs. I would appreciate it if you could review the sizing and let me know if anything looks misaligned or could be optimized based on Splunk best practices.
🔹 Overview of each plan:
Plan A:
Daily ingest: 2.0TB
Retention: same
10 Indexers
3 Search Heads
2 ES Search Heads
CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes
Plan B:
Daily ingest: 2.6TB
Retention: same
13 Indexers
3 Search Heads
3 ES Search Heads
CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes

As I told Each plan includes CM, MC, SH Deployer, DS, LM, 4–5 HFs, and several UBA/ML nodes.

🔹 Example specs per Indexer (Plan C):
Memory: 128GB
vCPU: 96 cores
Disk: 500GB OS SSD + 6TB hot SSD + 30TB cold HDD + 11TB frozen (NAS)
----------------------------------------
🔍 What I'm looking for:
Are these hardware specs reasonable per Splunk sizing guidelines?
Is the number of indexers/search heads appropriate for the daily ingest and retention?
Any red flags or over/under-sizing you would call out?

Thanks in advance for your insights!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-29-2025 11:44 AM

Well, it all depends on your utilization really. The rule of thumb is that a single indexer can handle up to 300GB/day if not running premium apps (ES or ITSI) or 100 GB/day if running ES or ITSI. Actually a single indexer can index way way more daily if it doesn't do any searching. Since you're using ES there's probably gonna be a lot of searching (if not for any other reason, just for keeping datamodel summaries up to date). So one indexer per 200GB might be or not too small, depending on your actual load.

You're pushing quite a lot of hardware for the indexers whereas normally you'd rather want to have more indexers than bigger ones. More CPUs mean you could add ingestion pipelines but - especially if reaching for cold data - you might starve your indexers from I/O performance since you will have potential for many concurrent searches competing for I/O resources.

It's also not clear for me how is this NAS frozen spacd supposed to work. Is it a shared space or do you want to have dedicated share for each indexer? Remember that each indexer freezes buckets independently so unless you script it to keep the storage "tidy" you'll end ul with multiple copies of the same frozen bucket.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...