Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I build out a cluster master with the same hardware spec requirements as my heavy forwarder?

sbattista09
Contributor
‎12-21-2015 09:15 AM

Should I build out a cluster master with the same hardware requirements as my heavy forwarder?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-22-2015 12:39 AM

Our cluster master and deployment servers were sharing a VM with the following specs until very recently: 4 cores, 4 GB RAM, 50GB dedicated drive. We had 2000 UFs and 6 indexers.

The minimum spec I would go for nowadays is the following:

  • Intel 64-bit chip architecture, 2 cores, 2 GHz
  • 2GB RAM
  • OS installation + 50GB free
  • Standard 1Gb Ethernet NIC, with optional second NIC for a management network
  • Linux 3.x 64-bit edition

If you can afford it get 4 cores and 4GB RAM.

Hope that helps.

Regards,
Javier

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-22-2015 12:39 AM

Our cluster master and deployment servers were sharing a VM with the following specs until very recently: 4 cores, 4 GB RAM, 50GB dedicated drive. We had 2000 UFs and 6 indexers.

The minimum spec I would go for nowadays is the following:

  • Intel 64-bit chip architecture, 2 cores, 2 GHz
  • 2GB RAM
  • OS installation + 50GB free
  • Standard 1Gb Ethernet NIC, with optional second NIC for a management network
  • Linux 3.x 64-bit edition

If you can afford it get 4 cores and 4GB RAM.

Hope that helps.

Regards,
Javier

Reply
Solved! Jump to solution

hagjos43
Contributor
‎12-21-2015 09:19 AM

That's not enough information to go on with 100% accuracy. BUT, let me tell you about our environment and maybe that'll help.

We have two indexers, one searchhead, a handful of heavy forwarders, and hundreds of universal forwarders. When we moved to the two indexer model we just lumped our cluster master in with our deployment server and have had zero issues in over 6-7 months.

Hope that helps!

0 Karma
Reply
Solved! Jump to solution

sbattista09
Contributor
‎12-21-2015 09:32 AM

glad to hear! we have 4 indexers and about 800 to 1000 UF's. Im looking for a guild line to spec out a Cluster master.

0 Karma
Reply
Solved! Jump to solution

hagjos43
Contributor
‎12-21-2015 09:46 AM

Ours is a VM:
4 cores, 6 GB of RAM, around 100GB of storage to start (being a VM we can grow it as needed).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...