Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are the requirements for a minimal Splunk installation on Ubuntu 20.04?

danielbb
Motivator
‎01-03-2025 08:07 AM

We are creating an installation of one indexer, one search head, and one universal forwarder with syslog, and I wonder what the minimal OS requirements are--such as disabling transparent huge pages on the indexer, file descriptors, etc. we are speaking about a bare minimum installation.

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:30 AM

@danielbb default ulimit value is 1024. Minimal values might work for basic setups, but modern applications often require higher limits.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:28 AM

@danielbb You can put the ulimit value 65535.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:20 AM

@danielbb 

Please have a look

https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/SystemRequirements#Considerations_re... 

 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:18 AM

@danielbb 

This allows different buckets to be stored on different storage types which can in turn is very useful to improve efficiency and reduce storage costs. Below are the recommended configurations for each bucket/storage type and example indexes.conf parameters that can be utilized .

kiran_panchavat_0-1735921115340.png

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:18 AM

@danielbb 

General Considerations for all Splunk servers

1.Setting Ulimits and Transparent Huge Pages
2.Turn OFF SELInux
3.Check the Firewalld – In case as per company policy you need to have OS-level firewall make sure you open the required ports for Splunk on the OS. Following are a few useful commands you can use
4.Don’t Run Splunk as Root, Create a Splunk user & group, Give Splunk user Sudo privileges.

5.Storage Consideration for Indexers

Splunk indexed data goes through various stages during its lifecycle as shown below:

Hot Bucket > Warm Bucket > Cold Bucket > Frozen/Archived > Thawed(Manual process)

This allows different buckets to be stored on different storage types which can in turn is very useful to improve efficiency and reduce storage costs. 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

danielbb
Motivator
‎01-03-2025 08:25 AM

Thanks @kiran_panchavat,

About the ulimits, what are the minimal ulimits requirements?

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-03-2025 08:35 AM

@danielbb Go through this link for more information : https://www.splunk.com/en_us/blog/tips-and-tricks/whats-your-ulimit.html 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...