Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk indexers IOPS tade off

egsub
Explorer
‎03-31-2015 06:27 AM

Hi,

We're considering to raise the number of indexers servers (peers) with reducing the IOPS per server FS due to IOPS limitations in our hardware.

Does this calculation fit? For instance, does 10 servers with 600 IOPS S-ATA based are equal to 5 servers with 1200 IOPS SAS based in case of 500GB/day indexed data?

Thanks,
EG

Tags (3)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎03-31-2015 09:49 PM

It should also be noted that 900iops is the minimum recommend spec for Splunk 6.2+. If you arent able to meet these requirements and decide to deploy lower spec hardware, you need to be careful and carefully monitor the Splunk Queues. Most likely you're going to see issues and need to modify configurations on your outputs to the indexers etc.

Reply

ekost
Splunk Employee
Splunk Employee
‎03-31-2015 05:44 PM

There's no magic answer available, as the type of search and the data volume per day will have a large impact on relative performance. If your SATA-based storage delivers the promised 600 IOPS (test with bonnie++,) and the type of searches you are running are balanced between CPU and I/O bound, and the data volume per-day per-indexer averages ~100GB/Day, and the data coming from the forwarders is evenly distributed across all indexers, and assuming an identical CPU core count, then having 2x indexers with less IOPS should equal your other hardware. There is no substitute for testing with actual data and a search and indexing load. Please note that a lot of admins discover that poor search result speed causes user aggravation, and insufficient IOPS can be a factor.

Reply

jmheaton
Path Finder
‎03-31-2015 02:22 PM

You should be more than fine with going with 5 servers at 1200 SAS.
A good rule of thumb is to go 1 server, 8 cores, 8 GB ram, and 1000 IOPS per 100GB daily data.
Do you actually index all 500GB/day

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...