Deployment Architecture

Resources utilization of Splunk Indexer with possible numbers of Splunk Apps installed

charlescywong
New Member

Hi all! I am Charles from Hong Kong and new to Splunk. Hello everyone!

My boss asked me to fully utilize our newly installed Splunk Indexer and Heavy Forwarder by installing as much Splunk Apps as it can. However, the indexer has only been assigned 8 core CPU and 500GB of storage, where my Splunk vendor suggested me to assign 24 core CPU to it (impossible!!) I am worrying that if I installed too much apps on the indexer will result in degrading the performance of Splunk, or even crash the system.

Any of you have such experiences on how to estimate the largest possible numbers of Splunk apps that can be installed and can share with me please? Thanks!

P.S. Our indexer currently receiving around 10 GB of data per day.

0 Karma

Raghav2384
Motivator

Hey There,

I am surprised how Splunk recommended you 24 cores for Indexers. The proven recommendation is to have multiple small chunks as indexers and off course fast disks and high I/O.

search heads : these guys need more horse power : 24 cores, whatever max RAM you could get is better.
indexers : fast disks , high I/O (example, if you plan to index 500GB / day, i would start with a min of 4 indexers with magic 12s (12 core, 12 RAM and a min 1200 IOPS)

As far as the app/add-on load, if the app comes with a ton of custom extractions (check props, transforms etc) it is going to add extra load for sure. Also depends on the type of data you are consuming. i have seen some radius type logs with 170 kv pairs in each event. Several factors that could add load and experts from this forum can explain you better.

Hope this helps!
thanks,
Raghav

0 Karma

charlescywong
New Member

Thanks Raghav! Because our company have limited resources, the search head and the indexer are installed on the same VM....(yes...VM). HF is then installed on another VM.

Let me ask my boss to consider the resources before installing any apps. Actually I already feel that my Splunk is getting slow............

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...