Deployment Architecture

Splunk cluster

498773
Explorer

Please suggest the best practise for splunk deployment

Considerations:

  • Index data of size 2GB daily
  • Data comes from 20 different hosts
  • Report generation on data

Proposed Solution:

  • Search Factor=2, Replication Factor=2

  • 20 forwarders to pull data from hosts

  • One master node, Two Peer Nodes(for Indexing) , One Search head

  • Data on each node would be 1GB (considering RF and SF)

My question is does this set up looks good or can i avoid search head as there are only two indexers, please suggest some best practices . Do i really need to go for cluster set up if not what can be done ?????

looking forward for your ideas, Thanks in advance

Tags (1)
1 Solution

kristian_kolb
Ultra Champion

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

View solution in original post

kristian_kolb
Ultra Champion

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

498773
Explorer

Thanks kristian

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...