Getting Data In

Performance in Virtual versus Hardware Indexers for large and growing Enterprise Splunk instantiations

swagner1965
Path Finder

We have an Enterprise Splunk instantiation that has clustered virtual indexers.  We have been advised that we need real hardware for our indexers to scale up to the size we anticipate.  What areas of performance are affected by having virtualized indexers versus hardware?  

Labels (2)
0 Karma
1 Solution

Stefanie
Builder

The main issue that virtual Splunk servers have is the fact that the resources Splunk needs is not "reserved".

Virtual Indexers perform best when their vCPU and vRAM is reserved, and the disk is provisioned using eager-zero. 

There was an old Splunk tech brief from 2017 that talked about deploying Splunk on Virtual Hardware. I will paste the summary below.

As is expected with most virtualized high I/O applications, you should expect as much as 10 percent less performance when running Splunk Enterprise within virtual environments. However, there are many additional benefits to consider. Virtualization offers better resource sharing and utilization, includes HA capabilities, makes provisioning and management an easier exercise, and may support a corporate virtualization mandate. For best performance, put full reservations on CPU and memory, provision Eager Zero Thick VMDKs, and turn off snapshotting for virtual machines running Splunk Enterprise. Disk quality is also critical to Splunk performance—make sure you are using the best disk available. And to keep up with increasing data volumes, scale your deployment by adding additional Splunk indexers.

View solution in original post

Stefanie
Builder

The main issue that virtual Splunk servers have is the fact that the resources Splunk needs is not "reserved".

Virtual Indexers perform best when their vCPU and vRAM is reserved, and the disk is provisioned using eager-zero. 

There was an old Splunk tech brief from 2017 that talked about deploying Splunk on Virtual Hardware. I will paste the summary below.

As is expected with most virtualized high I/O applications, you should expect as much as 10 percent less performance when running Splunk Enterprise within virtual environments. However, there are many additional benefits to consider. Virtualization offers better resource sharing and utilization, includes HA capabilities, makes provisioning and management an easier exercise, and may support a corporate virtualization mandate. For best performance, put full reservations on CPU and memory, provision Eager Zero Thick VMDKs, and turn off snapshotting for virtual machines running Splunk Enterprise. Disk quality is also critical to Splunk performance—make sure you are using the best disk available. And to keep up with increasing data volumes, scale your deployment by adding additional Splunk indexers.

swagner1965
Path Finder

Thanks!

That confirms what we have heard from conversations with other people and you referenced some documentation which will help us plead our case to the folks we plead to,.....

Cheers!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...