Hi, we have to implement a Splunk architecture (for a development/test environment). We have 2 virtual devices, and we should replicate this set: 1 Deployment server, 1 Heavy Forwarder, a cluster of 3 Search Heads, 1 and Indexer. What do you suggest us to do?
Thank you very much
Obviously you cannot replicate your production architecture.
Every way I usually don't replicate Deployment server in dev Environment.
You could use your two Virtual machines For Search Head and Indexer.
The problem is the Heavy Forwarder: If you cannot have another vm you could do two thimgs:
Use the production Indexer also For Development and VMs one For SH and one for HF.
Or better, if you have sufficient resources in at least one VM to install two Splunk instances on the first VM For SH and HG and install Indexer on the second.
Hello @gianpaolodelgrosso , Welcome to Splunk Answers!
First off, can you clarify what you mean by virtual devices? Are you referring to 2 virtual machines or 2 devices which will be collecting log files/data and need to be sent to Splunk?
Assuming you're referring to 2 VM's, then read on..
What are the specs of your VM's? I would suggest you get physical servers since this will handle the load better, especially when you grow. Why would you want a heavy forwarder over adding another indexer? Adding more indexers gives you the ability to scale, universal forwarders almost always do the trick, and they're light weight! Lastly, how many sources/host do you suspect will be feeding into Splunk?
It is 2 VM to IDE (integrated development environment, this is for test and development), we have to install there and with local sources (Database local) to replicate another enviroment. We have a design draft (also based on what you said about Heavy Forwarded):
instance_1 --> DMC+ Deployer (SH) + Cluster Master (IDX)
instance_2 --> Deployment Server (Forwarders)
instance_3 --> Universal Forwarder (HF)
instance_1 --> SH cluster host 1
instance_2 --> SH cluster host 2
instance_3 --> SH cluster host 3
instance_4 --> IDX cluster host 1
instance_5 --> IDX cluster host 2
What's your opinion? Is it okay if we install in a VM, two memebr cluster (3 search head and 2 indexer)?
Thanks a lot again
I'm going to need a bit more clarification on what you're trying to do..
First off, how much data do you expect to flow in? How many sources and hosts do you have?
Splunk is designed to scale, so you have the ability to start small and grow as needed. If your indexing less than 50GB / day then you can get by with a single indexer and universal forwarders
Lastly, what are the specs of your VM's? Physical servers will perform much better with Splunk