Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How many indexers is too many?

colinj
Path Finder
‎03-21-2012 10:13 AM

As I've been building out our Splunk installation I've been treating the indexers as appliances. By that I mean all of the indexers are identical down to every indexer having every index. This allows me to have all forwarders writing to all of the indexers.

My thinking goes something like this:

  1. If an indexer dies it's easy replace.
  2. If I can spread the load across multiple indexer the indexers can use simpler hardware and need less storage.
  3. As I need to grow my installation I can simply add more indexers.
  4. Loss of any one indexer means a loss of only a portion of all indexed data.

So, this raises some questions:

  • Is there a real or logical limit to the number of indexers I might have?
  • When does adding more indexers start to make things worse instead of better?
  • Is it better to have 4 8 CPU indexers or 8 4 CPU indexers?

Thanks!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:47 AM

The answer is: "it depends". There is a spectrum of deployments out there from one laptop to scores of indexers. Beyond data volume, you should also analyze your search use cases.

Scaling horizontally and treating indexers as disposable commidities is generally the right approach. More, cheaper indexers is generally better than fewer, more expensive indexers. The main cost is management/deployment complexity.

For more best practices, see:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Installation/CapacityplanningforalargerSplunkdeplo...

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:47 AM

The answer is: "it depends". There is a spectrum of deployments out there from one laptop to scores of indexers. Beyond data volume, you should also analyze your search use cases.

Scaling horizontally and treating indexers as disposable commidities is generally the right approach. More, cheaper indexers is generally better than fewer, more expensive indexers. The main cost is management/deployment complexity.

For more best practices, see:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Installation/CapacityplanningforalargerSplunkdeplo...

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...