Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Should we have more servers with less storage or less servers with more storage in an indexer clustering environment?

laytonj76
Explorer
‎02-16-2016 08:52 AM

We are in the middle of designing an Integration environment that we ultimately want to replace our Production environment. We have determined sizing based on our daily ingestion, replication, search factor, RAID configuration, etc. The question I have is whether it's recommended to have more servers with less storage or less servers with more storage?

Specifically, if we acquire servers with 12 bays and 2TB drives, we'd need 10 servers. Alternatively, if we acquire servers with 24 bays and 2TB drives we'd need 6 servers. We can support acquisition of either, but is there a recommendation between the two in terms of Splunk performance?

0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎02-16-2016 09:38 AM

Sizing is always an "it depends" scenario. Depends on ingest rate, number of concurrent searches, retention policies, etc. etc. etc.

However that said, from an ingest and search stand point, more servers (horizontal expansion) is better than fewer 'bigger' (vertical) expansion/capacity.

There are recommendations on drive size/types from a base I/O perspective - this nifty tool might help when playing around with scenarios.

https://splunk-sizing.appspot.com/

0 Karma
Reply

laytonj76
Explorer
‎02-16-2016 10:12 AM

Thanks for the response. I forgot to mention the boxes in question will be Indexers.

We used the sizing app and that was very helpful. Our question comes up as the sizing app doesn't have anything that would indicate whether there's an optimal HW configuration (and I'm not sure if this is something it can or should do). In any case, thanks for the response.

I suppose a follow up question is, does splunk scale out well on larger boxes. For example, if Splunk is running on a 14 core server, will it use all 14 cores or is it limited for any particular reason?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...