Deployment Architecture

Should we use a single search head with a high number of cores or a search head cluster?

goodsellt
Contributor

Hello,

We're looking at expanding our Splunk capabilities, and I'd like some additional input on the question of doing a high core single search head vs a search head cluster.

Our environment experiences a lower number of concurrent users (between 5 and 15), however, we can hit very large number of concurrent searches ( > 30). We were either going to go with a Search Head Cluster or a very large VM. Disregarding the HA factor (since we'd be able to handle this issue regardless of a SH cluster or single instance, though I know the cluster is the Splunk SH "HA").

Would a SH Cluster of 3 devices with 16 cores at 16 GB of RAM a piece have any significant advantages over a 48 core, 48 GB RAM device in terms of performance? Our current view of the SH Cluster vs Single Search Head is management of Apps and Settings is much easier done on a single device (as the SH deployer in 6.3 we're currently using seems to be quirky about items such as scripted inputs), so essentially I'm trying to gather information on whether any performance benefits may outweigh the current management concerns.

0 Karma
1 Solution

twinspop
Influencer

A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception

Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)

SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.

My 2 cents.

View solution in original post

somesoni2
Revered Legend

The benefits of SHC are providing Scaling (with low number of users seems insignificant here) and High Availability (which you said you already got handled). The drawback of SHC are reduced quota (workaround available) and more load on each SH due to additional processing(replication within cluster, cluster heartbeats etc). Considering your requirements, my bet will be on larger single VM.

twinspop
Influencer

A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception

Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)

SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.

My 2 cents.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...