Deployment Architecture

Splunk in virtual environmnet

cvajs
Contributor

Some architecture Q's around Splunk.

My customer is buying Splunk. They have global presence with a few data-centers. They want centralized syslog with Splunk. We are planning to put a indexer in two data-centers and use a single search head (typical distributed architecture). The indexers will sit atop of syslog-ng. Using metrics from another logging system we currently have approx 432kB/sec worth of syslog data. That said I need to know more about Splunk in virtual env and storage.

  1. Any issues running all of this in VMware ESX 4.1? Is there a Splunk doc which outlines the virtual guest requirements?
  2. The storage for indexers will either be a customer purchased NAS or hosted SAN. Any issues to be worried about there (i/o ability on NAS, SAN issues, etc), and if so is there a threshold to when those issues start to appear (like slow searching, delayed indexing, etc etc). Does the search head need big storage?

good news is, my customer is already buying Splunk, i just need to properly spec out whats needed to make it work, etc.

0 Karma

whitewool
Splunk Employee
Splunk Employee

I have a number of customers running 100% in virtual environments, and if you adhere to the Splunk recommendations regarding sizing for VM (and nuances) you should be fine.. Your assessment for storage is correct (minimum 800 IOPS) however in shared storage environments these need to be meticulously "locked in"

As for search-heads needing "big storage" typically not, unless you will be creating lots of summary indexes.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You can deploy splunk in VMware but there are some considerations of course. There is a tech brief here that should help.

http://bit.ly/QlxNiw

Previous answer:

http://splunk-base.splunk.com/answers/298/can-i-run-splunk-in-a-vm-are-there-any-issues-or-tricks-i-...

As for storage, the main consideration for the indexers is IOPS. You really need fast storage so make sure you baseline this. Our minimum recommendation is 800 IOPS and this previous answer should be helpful.

http://splunk-base.splunk.com/answers/1486/what-is-the-best-storage-solution-for-optimal-splunk-perf...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...