Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How should I implement a Splunk architecture on a 2 virtual machine, development environment?

gianpaolodelgro
New Member
‎11-18-2016 03:33 AM

Hi, we have to implement a Splunk architecture (for a development/test environment). We have 2 virtual devices, and we should replicate this set: 1 Deployment server, 1 Heavy Forwarder, a cluster of 3 Search Heads, 1 and Indexer. What do you suggest us to do?
Thank you very much

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-18-2016 05:52 AM

Hi giampaolodelgrosso,
Obviously you cannot replicate your production architecture.
Every way I usually don't replicate Deployment server in dev Environment.
You could use your two Virtual machines For Search Head and Indexer.
The problem is the Heavy Forwarder: If you cannot have another vm you could do two thimgs:
Use the production Indexer also For Development and VMs one For SH and one for HF.
Or better, if you have sufficient resources in at least one VM to install two Splunk instances on the first VM For SH and HG and install Indexer on the second.
Bye.
Giuseppe

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-18-2016 05:27 AM

Hello @gianpaolodelgrosso , Welcome to Splunk Answers!

First off, can you clarify what you mean by virtual devices? Are you referring to 2 virtual machines or 2 devices which will be collecting log files/data and need to be sent to Splunk?

Assuming you're referring to 2 VM's, then read on..

What are the specs of your VM's? I would suggest you get physical servers since this will handle the load better, especially when you grow. Why would you want a heavy forwarder over adding another indexer? Adding more indexers gives you the ability to scale, universal forwarders almost always do the trick, and they're light weight! Lastly, how many sources/host do you suspect will be feeding into Splunk?

0 Karma
Reply

gianpaolodelgro
New Member
‎11-18-2016 06:18 AM

Hi,
It is 2 VM to IDE (integrated development environment, this is for test and development), we have to install there and with local sources (Database local) to replicate another enviroment. We have a design draft (also based on what you said about Heavy Forwarded):

VM 1:
instance_1 --> DMC+ Deployer (SH) + Cluster Master (IDX)
instance_2 --> Deployment Server (Forwarders)
instance_3 --> Universal Forwarder (HF)

VM 2:
instance_1 --> SH cluster host 1
instance_2 --> SH cluster host 2
instance_3 --> SH cluster host 3
instance_4 --> IDX cluster host 1
instance_5 --> IDX cluster host 2

What's your opinion? Is it okay if we install in a VM, two memebr cluster (3 search head and 2 indexer)?
Thanks a lot again

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-18-2016 04:41 PM

I'm going to need a bit more clarification on what you're trying to do..

First off, how much data do you expect to flow in? How many sources and hosts do you have?

Splunk is designed to scale, so you have the ability to start small and grow as needed. If your indexing less than 50GB / day then you can get by with a single indexer and universal forwarders

Lastly, what are the specs of your VM's? Physical servers will perform much better with Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top