Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled.
I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment.
Thanks,
Hi @NightShark,
let me understand: when you say "Three Es instances" are you speaking of three Search Heads that use the same indexers or three stand alone ESs?
I think that you're speaking of the first choice, in this case you need to exactly designe your reference hardware, taking in consideration:
Rememeber that this usually is a work for Professional Services or at least for a Splunk Architect, it isn't a job for Community!
If this answer solves your need, please, accept it for the other people of Community, otherwise, tell me how can I help you.
Ciao.
Giuseppe
P.S: Karma Points are appreciated 😉
Hi @NightShark,
Splunk best practices hint to use dedicated Search Heads for ES, separated from the other apps SHs.
Indexers are usually shared but obviously the load of ES is usually harder than usual apps becuase there are many accelerated Datamodels and scheduled searches, so you have to design with much attention the resources of your system.
So, if you see at https://docs.splunk.com/Documentation/ES/6.6.2/Install/DeploymentPlanning, you need at least (it depends on the indexed logs, scheduled correlation searches and users) 16 CPUs and 32GB of RAM for each Indexer; if you have other apps that use those Indexers you have to give to the Indexers more CPUs and RAMs.
Ciao.
Giuseppe
Hello Giuseppe,
Yes, that is exactly what I was thinking. Is more licensing being used while having ES installed on 3 instances?
So basically having 3 ES Instances also triples the amount of load on the indexers? All the instances are set to high performance recommendations but I was wondering if apart from CPU and RAM load, if it would increase disk usage aswell?
Thank you for the quick response!
Hi @NightShark,
let me understand: when you say "Three Es instances" are you speaking of three Search Heads that use the same indexers or three stand alone ESs?
I think that you're speaking of the first choice, in this case you need to exactly designe your reference hardware, taking in consideration:
Rememeber that this usually is a work for Professional Services or at least for a Splunk Architect, it isn't a job for Community!
If this answer solves your need, please, accept it for the other people of Community, otherwise, tell me how can I help you.
Ciao.
Giuseppe
P.S: Karma Points are appreciated 😉
Hello,
Thank you for your response, I have forwarded the issue towards Splunk Case to gain further insight.
Regards,
Hi @NightShark,
good idea, but I think that they will answer that you have to engage a Splunk Architetct or Professional Services because you haven't a bug.
Ciao.
Giuseppe