Deployment Architecture

Resources utilization of Splunk Indexer with possible numbers of Splunk Apps installed

charlescywong
New Member

Hi all! I am Charles from Hong Kong and new to Splunk. Hello everyone!

My boss asked me to fully utilize our newly installed Splunk Indexer and Heavy Forwarder by installing as much Splunk Apps as it can. However, the indexer has only been assigned 8 core CPU and 500GB of storage, where my Splunk vendor suggested me to assign 24 core CPU to it (impossible!!) I am worrying that if I installed too much apps on the indexer will result in degrading the performance of Splunk, or even crash the system.

Any of you have such experiences on how to estimate the largest possible numbers of Splunk apps that can be installed and can share with me please? Thanks!

P.S. Our indexer currently receiving around 10 GB of data per day.

0 Karma

Raghav2384
Motivator

Hey There,

I am surprised how Splunk recommended you 24 cores for Indexers. The proven recommendation is to have multiple small chunks as indexers and off course fast disks and high I/O.

search heads : these guys need more horse power : 24 cores, whatever max RAM you could get is better.
indexers : fast disks , high I/O (example, if you plan to index 500GB / day, i would start with a min of 4 indexers with magic 12s (12 core, 12 RAM and a min 1200 IOPS)

As far as the app/add-on load, if the app comes with a ton of custom extractions (check props, transforms etc) it is going to add extra load for sure. Also depends on the type of data you are consuming. i have seen some radius type logs with 170 kv pairs in each event. Several factors that could add load and experts from this forum can explain you better.

Hope this helps!
thanks,
Raghav

0 Karma

charlescywong
New Member

Thanks Raghav! Because our company have limited resources, the search head and the indexer are installed on the same VM....(yes...VM). HF is then installed on another VM.

Let me ask my boss to consider the resources before installing any apps. Actually I already feel that my Splunk is getting slow............

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...