Deployment Architecture

Splunk in virtual environmnet

cvajs
Contributor

Some architecture Q's around Splunk.

My customer is buying Splunk. They have global presence with a few data-centers. They want centralized syslog with Splunk. We are planning to put a indexer in two data-centers and use a single search head (typical distributed architecture). The indexers will sit atop of syslog-ng. Using metrics from another logging system we currently have approx 432kB/sec worth of syslog data. That said I need to know more about Splunk in virtual env and storage.

  1. Any issues running all of this in VMware ESX 4.1? Is there a Splunk doc which outlines the virtual guest requirements?
  2. The storage for indexers will either be a customer purchased NAS or hosted SAN. Any issues to be worried about there (i/o ability on NAS, SAN issues, etc), and if so is there a threshold to when those issues start to appear (like slow searching, delayed indexing, etc etc). Does the search head need big storage?

good news is, my customer is already buying Splunk, i just need to properly spec out whats needed to make it work, etc.

0 Karma

whitewool
Splunk Employee
Splunk Employee

I have a number of customers running 100% in virtual environments, and if you adhere to the Splunk recommendations regarding sizing for VM (and nuances) you should be fine.. Your assessment for storage is correct (minimum 800 IOPS) however in shared storage environments these need to be meticulously "locked in"

As for search-heads needing "big storage" typically not, unless you will be creating lots of summary indexes.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You can deploy splunk in VMware but there are some considerations of course. There is a tech brief here that should help.

http://bit.ly/QlxNiw

Previous answer:

http://splunk-base.splunk.com/answers/298/can-i-run-splunk-in-a-vm-are-there-any-issues-or-tricks-i-...

As for storage, the main consideration for the indexers is IOPS. You really need fast storage so make sure you baseline this. Our minimum recommendation is 800 IOPS and this previous answer should be helpful.

http://splunk-base.splunk.com/answers/1486/what-is-the-best-storage-solution-for-optimal-splunk-perf...

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...