Hi Everyone,
I am in the process of installing Splunk UBA and have a question regarding the storage partitioning requirements.
The official documentation (link below) states that separate physical disks, /dev/sdb and /dev/sdc, are required for specific mount points to ensure performance. Documentation Link: https://docs.splunk.com/Documentation/UBA/5.3.0/Install/InstallSingleServer#Prepare_the_disks
However, my current server is configured with a single physical disk (/dev/sda) that uses LVM to create multiple logical volumes. Here is my current lsblk output:
[zake@ubaserver]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 2.7T 0 disk ├─sda1 8:1 0 1G 0 part /boot/efi ├─sda2 8:2 0 1G 0 part /boot └─sda3 8:3 0 2.7T 0 part ├─rhel-root 253:0 0 80G 0 lvm / ├─rhel-swap 253:1 0 16G 0 lvm [SWAP] ├─rhel-var_vcap2 253:2 0 1T 0 lvm /var/vcap2 ├─rhel-var_vcap1 253:3 0 1T 0 lvm /var/vcap1 ├─rhel-home 253:4 0 118.8G 0 lvm /home └─rhel-backup 253:5 0 500G 0 lvm /backup sr0 11:0 1 1024M 0 rom
My question is: Can my existing logical volumes, /dev/mapper/rhel-var_vcap1 and /dev/mapper/rhel-var_vcap2, be used as a substitute for the required /dev/sdb and /dev/sdc disks?
I understand the requirement for separate physical disks is likely due to I/O performance. Would using this LVM setup on a single disk be a supported configuration, or is adding two new physical/virtual disks a mandatory step?
Thank you for your guidance.
The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation.
For complete production use, I wont recommend due to potential I/O bottlenecks. Also it may not be supported by Splunk Support if performance issues arise.
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
 
		
		
		
		
		
	
			
		
		
			
					
		Supported can mean different things here.
Will you be able to install? Most probably.
Will it run? Ditto.
Will it run reasonably fast? Depends highly on the overall storage architecture - it is a completely different story when you have this kind of setup on a single NL-SAS 7k drive than when you have this on a LUN exported from a NVMe-backed array.
Will Splunk support in case of any problem tell you that you have your installation incorrectly set up? Possibly.
Hi @PickleRick
Thank you for providing this detailed perspective.
You've raised several crucial points, particularly the distinction between a functional installation and production-ready performance. Highlighting the impact of the underlying storage architecture and the potential risks regarding official support is especially helpful.
This gives us a much clearer understanding of the factors we need to consider and will be a key part of our discussion with the infrastructure team.
Danke
Zake
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @zksvc ,
beware: for UBA installation is usually required Splunk PS.
If you do by yourself (I tried last year) and you have an issue (usually very frequent!), The first requirement from Splunk Support is PS installation and you have to restart from scretch calling them!
The installation procedure is very detailed in documentation but not all the details are described, so beware!
In addition, make a very deep check on the operative system version: when we installed UBA last year, it was required Red Hat 7.x, but we had some packets of the installation (not all) updated to Red Hat 8 (even if the declared version of the installation was Red hat 7), so UBA didn't work!
Ciao.
Giuseppe
Hi @gcusello
Thank you for sharing your valuable insights and warnings based on your experience.
The heads-up regarding the potential need for Professional Services and the strict OS package versioning is particularly helpful. We will be sure to discuss these important points internally with our team as we plan our next steps.
We appreciate you taking the time to provide this advice.
Danke.
Zake
The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation.
For complete production use, I wont recommend due to potential I/O bottlenecks. Also it may not be supported by Splunk Support if performance issues arise.
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @PrewinThomas 
Thank you for your clear and helpful answer. Your explanation confirms our concerns regarding the potential for I/O bottlenecks and the importance of adhering to the documented disk layout.
Based on your advice, we will coordinate with our infrastructure team to provision the required separate disks and restructure our server to align with the best practices for a production environment.
I appreciate your expertise.
Best regards,
Zake
