Getting Data In

Distributed Indexer Hardware

ckillg
Path Finder

I'm working to purchase additional indexers, but am trying to figure out what would be the best configuration of servers.

Essentially, I can purchase one R730 with 24 hard disks in a RAID 10, or I can buy 4 R550s, each with 8 hard disks in a raid 10. Both server configs would have 2 CPUs and however much RAM I wanted (I understand the requirements are low).

I am trying to accelerate searches and provide redundancy and recovery more than trying to increase indexing rate or volume.

I can try to provide more information if needed. I've read through the sizing documentation, and I can't find any concrete recommendations for disk configuration.

Neill

0 Karma
1 Solution

Yasaswy
Contributor

Hi,

I would go the route of more indexers /servers... your data will be better distributed and will provide opportunities for faster searches. Will provide more options on clustering side as well. (More servers typically better than a single server for indexer)

From disk standpoint you can find some info here

View solution in original post

Yasaswy
Contributor

Hi,

I would go the route of more indexers /servers... your data will be better distributed and will provide opportunities for faster searches. Will provide more options on clustering side as well. (More servers typically better than a single server for indexer)

From disk standpoint you can find some info here

grijhwani
Motivator

If redundancy is what you want then the rule of not keeping all your eggs in one basket is definitely the way to go. A cluster of multiples is the far better route, and for a bonus you get easier maintainability, too. (Having the option to drop one of 4 out of the pile leaving the other 3 to take up the load in the meantime is a boon to maintenance operations.)

0 Karma

ckillg
Path Finder

Any idea if SSDs make a significant difference in search speed?

0 Karma

ckillg
Path Finder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...