Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distributed Indexer Hardware

ckillg
Path Finder
‎09-24-2015 07:33 AM

I'm working to purchase additional indexers, but am trying to figure out what would be the best configuration of servers.

Essentially, I can purchase one R730 with 24 hard disks in a RAID 10, or I can buy 4 R550s, each with 8 hard disks in a raid 10. Both server configs would have 2 CPUs and however much RAM I wanted (I understand the requirements are low).

I am trying to accelerate searches and provide redundancy and recovery more than trying to increase indexing rate or volume.

I can try to provide more information if needed. I've read through the sizing documentation, and I can't find any concrete recommendations for disk configuration.

Neill

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Yasaswy
Contributor
‎09-24-2015 07:51 AM

Hi,

I would go the route of more indexers /servers... your data will be better distributed and will provide opportunities for faster searches. Will provide more options on clustering side as well. (More servers typically better than a single server for indexer)

From disk standpoint you can find some info here

View solution in original post

Reply
Solved! Jump to solution
Solution

Yasaswy
Contributor
‎09-24-2015 07:51 AM

Hi,

I would go the route of more indexers /servers... your data will be better distributed and will provide opportunities for faster searches. Will provide more options on clustering side as well. (More servers typically better than a single server for indexer)

From disk standpoint you can find some info here

Reply
Solved! Jump to solution

grijhwani
Motivator
‎09-24-2015 08:06 AM

If redundancy is what you want then the rule of not keeping all your eggs in one basket is definitely the way to go. A cluster of multiples is the far better route, and for a bonus you get easier maintainability, too. (Having the option to drop one of 4 out of the pile leaving the other 3 to take up the load in the meantime is a boon to maintenance operations.)

0 Karma
Reply
Solved! Jump to solution

ckillg
Path Finder
‎09-24-2015 08:19 AM

Any idea if SSDs make a significant difference in search speed?

0 Karma
Reply
Solved! Jump to solution

ckillg
Path Finder
‎09-24-2015 08:36 AM

found this http://blogs.splunk.com/2012/05/10/quantifying-the-benefits-of-splunk-with-ssds/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...