Getting Data In

What are recommended specs for a virtual host for our multisite sandbox environment?

Path Finder

Hi there,

I've been tasked with building a Splunk Enterprise 6.3 multisite virtual environment sandbox. The environment is to consist of the following Splunk instances:

  • 5 search heads in a search head cluster
  • 7 indexers (3 sites x 2 indexers + 1 cluster master)
  • 1 combined deployment server, license master, deployer
  • 2 forwarders installed on Linux images

In addition to the above instances, the virtual host should also be able to accommodate a separate distributed search environment consisting of:

  • 1 search head (also acting as deployment server and license master)
  • 2 indexers
  • 2 forwarders installed on Linux images

So in all, a total of 20 virtual instances will be hosted. As this is a sandbox environment, the volume of data being forwarded/indexed will be minimal - definitely less than 10GB/day if that. We will be using VirtualBox for the images with CentOS 7 - minimal as the operating system on the images.

Given the above criteria, I need to procure the machine that will host all of these images. Specifically I need to know:

  1. Recommended processor.
  2. Number of CPUs/cores required
  3. Minimum clock-speed
  4. RAM
  5. Number of hard drives required
  6. Individual hard drive capacity
  7. Individual hard drive specs
  8. Hard drive RAID configuration

I would also need to know the specifications that the individual CentOS 7 virtual images (for the different types of instances) would require such as:

  1. Allocated RAM
  2. Allocated disk space
  3. Allocated CPU

If I have missed any critical specification then please feel free to add/comment on that also.

Thanks for your assistance.


0 Karma

Splunk Employee
Splunk Employee

Here's a starting point:

Virtual Hardware section, also a link to a PDF in that section:

What I suggest is jotting down the specs you'd like to have based on the recommendations in the documentation listed above for each VM. then with that, tally it all together (total virtual RAM => RAM, total disk, total vCPUs => CPUs) all then tallied to determine what size box(es) you would need to accommodate that type of workload. Not really a tool out there to do that, as architecting something like this is a bit of a skill, art and SWAG.

Path Finder

Thanks pgreer. In looking at the documents referenced the specs are based on production hardware/virtualization. What factor would you use to scale it back for a sandbox environment?

0 Karma

Splunk Employee
Splunk Employee

Avisram, the Tech Brief recommended above is definitely for a production environment. It is probably ideal to have a physical host with at least 20 cores and 256GB RAM for this environment. It's impossible to make a recommendation for storage based on the information provided. Would need to factor how long you plan to retain data in this environment, and work backwards from that (this site might help you: ).
If you plan to do multiple physical hosts for this environment, you can probably do smaller core count boxes. If you are building this to perform well, I would need further information to size this.

0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...