Deployment Architecture

Should we use a single search head with a high number of cores or a search head cluster?

goodsellt
Contributor

Hello,

We're looking at expanding our Splunk capabilities, and I'd like some additional input on the question of doing a high core single search head vs a search head cluster.

Our environment experiences a lower number of concurrent users (between 5 and 15), however, we can hit very large number of concurrent searches ( > 30). We were either going to go with a Search Head Cluster or a very large VM. Disregarding the HA factor (since we'd be able to handle this issue regardless of a SH cluster or single instance, though I know the cluster is the Splunk SH "HA").

Would a SH Cluster of 3 devices with 16 cores at 16 GB of RAM a piece have any significant advantages over a 48 core, 48 GB RAM device in terms of performance? Our current view of the SH Cluster vs Single Search Head is management of Apps and Settings is much easier done on a single device (as the SH deployer in 6.3 we're currently using seems to be quirky about items such as scripted inputs), so essentially I'm trying to gather information on whether any performance benefits may outweigh the current management concerns.

0 Karma
1 Solution

twinspop
Influencer

A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception

Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)

SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.

My 2 cents.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The benefits of SHC are providing Scaling (with low number of users seems insignificant here) and High Availability (which you said you already got handled). The drawback of SHC are reduced quota (workaround available) and more load on each SH due to additional processing(replication within cluster, cluster heartbeats etc). Considering your requirements, my bet will be on larger single VM.

twinspop
Influencer

A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception

Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)

SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.

My 2 cents.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...