Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

UBA Installation LVM Volume management

zksvc
Contributor
‎07-31-2025 09:22 PM

Hi Everyone,

I am in the process of installing Splunk UBA and have a question regarding the storage partitioning requirements.

The official documentation (link below) states that separate physical disks, /dev/sdb and /dev/sdc, are required for specific mount points to ensure performance. Documentation Link: https://docs.splunk.com/Documentation/UBA/5.3.0/Install/InstallSingleServer#Prepare_the_disks

However, my current server is configured with a single physical disk (/dev/sda) that uses LVM to create multiple logical volumes. Here is my current lsblk output:

[zake@ubaserver]# lsblk
NAME                MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda                   8:0    0   2.7T  0 disk 
├─sda1                8:1    0     1G  0 part /boot/efi
├─sda2                8:2    0     1G  0 part /boot
└─sda3                8:3    0   2.7T  0 part 
  ├─rhel-root       253:0    0    80G  0 lvm  /
  ├─rhel-swap       253:1    0    16G  0 lvm  [SWAP]
  ├─rhel-var_vcap2  253:2    0     1T  0 lvm  /var/vcap2
  ├─rhel-var_vcap1  253:3    0     1T  0 lvm  /var/vcap1
  ├─rhel-home       253:4    0 118.8G  0 lvm  /home
  └─rhel-backup     253:5    0   500G  0 lvm  /backup
sr0                  11:0    1  1024M  0 rom

My question is: Can my existing logical volumes, /dev/mapper/rhel-var_vcap1 and /dev/mapper/rhel-var_vcap2, be used as a substitute for the required /dev/sdb and /dev/sdc disks?

I understand the requirement for separate physical disks is likely due to I/O performance. Would using this LVM setup on a single disk be a supported configuration, or is adding two new physical/virtual disks a mandatory step?

Thank you for your guidance.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Builder
‎07-31-2025 11:08 PM

@zksvc 

The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation.


For complete production use, I wont recommend due to potential I/O bottlenecks. Also it may not be supported by Splunk Support if performance issues arise.


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2025 11:33 PM

Supported can mean different things here.

Will you be able to install? Most probably.

Will it run? Ditto.

Will it run reasonably fast? Depends highly on the overall storage architecture - it is a completely different story when you have this kind of setup on a single NL-SAS 7k drive than when you have this on a LUN exported from a NVMe-backed array.

Will Splunk support in case of any problem tell you that you have your installation incorrectly set up? Possibly.

Reply
Solved! Jump to solution

zksvc
Contributor
‎07-31-2025 11:50 PM

Hi @PickleRick 

Thank you for providing this detailed perspective.

You've raised several crucial points, particularly the distinction between a functional installation and production-ready performance. Highlighting the impact of the underlying storage architecture and the potential risks regarding official support is especially helpful.

This gives us a much clearer understanding of the factors we need to consider and will be a key part of our discussion with the infrastructure team.

Danke

Zake

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2025 11:29 PM

Hi @zksvc ,

beware: for UBA installation is usually required Splunk PS.

If you do by yourself (I tried last year) and you have an issue (usually very frequent!), The first requirement from Splunk Support is PS installation and you have to restart from scretch calling them!

The installation procedure is very detailed in documentation but not all the details are described, so beware!

In addition, make a very deep check on the operative system version: when we installed UBA last year, it was required Red Hat 7.x, but we had some packets of the installation (not all) updated to Red Hat 8 (even if the declared version of the installation was Red hat 7), so UBA didn't work!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

zksvc
Contributor
‎07-31-2025 11:48 PM

Hi @gcusello 

Thank you for sharing your valuable insights and warnings based on your experience.

The heads-up regarding the potential need for Professional Services and the strict OS package versioning is particularly helpful. We will be sure to discuss these important points internally with our team as we plan our next steps.

We appreciate you taking the time to provide this advice.

Danke.

Zake

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Builder
‎07-31-2025 11:08 PM

@zksvc 

The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation.


For complete production use, I wont recommend due to potential I/O bottlenecks. Also it may not be supported by Splunk Support if performance issues arise.


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

zksvc
Contributor
‎07-31-2025 11:29 PM

Hi @PrewinThomas 
Thank you for your clear and helpful answer. Your explanation confirms our concerns regarding the potential for I/O bottlenecks and the importance of adhering to the documented disk layout.

Based on your advice, we will coordinate with our infrastructure team to provision the required separate disks and restructure our server to align with the best practices for a production environment.

I appreciate your expertise.

Best regards,

Zake

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...