Getting Data In

Splunk indexers IOPS tade off

egsub
Explorer

Hi,

We're considering to raise the number of indexers servers (peers) with reducing the IOPS per server FS due to IOPS limitations in our hardware.

Does this calculation fit? For instance, does 10 servers with 600 IOPS S-ATA based are equal to 5 servers with 1200 IOPS SAS based in case of 500GB/day indexed data?

Thanks,
EG

Tags (3)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

It should also be noted that 900iops is the minimum recommend spec for Splunk 6.2+. If you arent able to meet these requirements and decide to deploy lower spec hardware, you need to be careful and carefully monitor the Splunk Queues. Most likely you're going to see issues and need to modify configurations on your outputs to the indexers etc.

ekost
Splunk Employee
Splunk Employee

There's no magic answer available, as the type of search and the data volume per day will have a large impact on relative performance. If your SATA-based storage delivers the promised 600 IOPS (test with bonnie++,) and the type of searches you are running are balanced between CPU and I/O bound, and the data volume per-day per-indexer averages ~100GB/Day, and the data coming from the forwarders is evenly distributed across all indexers, and assuming an identical CPU core count, then having 2x indexers with less IOPS should equal your other hardware. There is no substitute for testing with actual data and a search and indexing load. Please note that a lot of admins discover that poor search result speed causes user aggravation, and insufficient IOPS can be a factor.

jmheaton
Path Finder

You should be more than fine with going with 5 servers at 1200 SAS.
A good rule of thumb is to go 1 server, 8 cores, 8 GB ram, and 1000 IOPS per 100GB daily data.
Do you actually index all 500GB/day

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...