Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Should we have more servers with less storage or less servers with more storage in an indexer clustering environment?

laytonj76
Explorer
‎02-16-2016 08:52 AM

We are in the middle of designing an Integration environment that we ultimately want to replace our Production environment. We have determined sizing based on our daily ingestion, replication, search factor, RAID configuration, etc. The question I have is whether it's recommended to have more servers with less storage or less servers with more storage?

Specifically, if we acquire servers with 12 bays and 2TB drives, we'd need 10 servers. Alternatively, if we acquire servers with 24 bays and 2TB drives we'd need 6 servers. We can support acquisition of either, but is there a recommendation between the two in terms of Splunk performance?

0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎02-16-2016 09:38 AM

Sizing is always an "it depends" scenario. Depends on ingest rate, number of concurrent searches, retention policies, etc. etc. etc.

However that said, from an ingest and search stand point, more servers (horizontal expansion) is better than fewer 'bigger' (vertical) expansion/capacity.

There are recommendations on drive size/types from a base I/O perspective - this nifty tool might help when playing around with scenarios.

https://splunk-sizing.appspot.com/

0 Karma
Reply

laytonj76
Explorer
‎02-16-2016 10:12 AM

Thanks for the response. I forgot to mention the boxes in question will be Indexers.

We used the sizing app and that was very helpful. Our question comes up as the sizing app doesn't have anything that would indicate whether there's an optimal HW configuration (and I'm not sure if this is something it can or should do). In any case, thanks for the response.

I suppose a follow up question is, does splunk scale out well on larger boxes. For example, if Splunk is running on a 14 core server, will it use all 14 cores or is it limited for any particular reason?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...