Getting Data In

Would Multiple Enterprise Security Splunk Instances Affect Indexing?

NightShark
Path Finder

Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled.

I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment.

Thanks,

 

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @NightShark,

let me understand: when you say "Three Es instances" are you speaking of three Search Heads that use the same indexers or three stand alone ESs?

I think that you're speaking of the first choice, in this case you need to exactly designe your reference hardware, taking in consideration:

  • all the indexed data (not more than 100 GB/day for each Indexer),
  • the activated Correlation searched and accelerated Datamodels,
  • the users that usually use the system.

Rememeber that this usually is a work for Professional Services or at least for a Splunk Architect, it isn't a job for Community!

If this answer solves your need, please, accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao.

Giuseppe

P.S: Karma Points are appreciated 😉

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @NightShark,

Splunk best practices hint to use dedicated Search Heads for ES, separated from the other apps SHs.

Indexers are usually shared but obviously the load of ES is usually harder than usual apps becuase there are many accelerated Datamodels and scheduled searches, so you have to design with much attention the resources of your system.

So, if you see at https://docs.splunk.com/Documentation/ES/6.6.2/Install/DeploymentPlanning, you need at least (it depends on the indexed logs, scheduled correlation searches and users) 16 CPUs and 32GB of RAM for each Indexer; if you have other apps that use those Indexers you have to give to the Indexers more CPUs and RAMs.

Ciao.

Giuseppe

0 Karma

NightShark
Path Finder

Hello Giuseppe,

Yes, that is exactly what I was thinking. Is more licensing being used while having ES installed on 3 instances?

So basically having 3 ES Instances also triples the amount of load on the indexers? All the instances are set to high performance recommendations but I was wondering if apart from CPU and RAM load, if it would increase disk usage aswell?

Thank you for the quick response!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NightShark,

let me understand: when you say "Three Es instances" are you speaking of three Search Heads that use the same indexers or three stand alone ESs?

I think that you're speaking of the first choice, in this case you need to exactly designe your reference hardware, taking in consideration:

  • all the indexed data (not more than 100 GB/day for each Indexer),
  • the activated Correlation searched and accelerated Datamodels,
  • the users that usually use the system.

Rememeber that this usually is a work for Professional Services or at least for a Splunk Architect, it isn't a job for Community!

If this answer solves your need, please, accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao.

Giuseppe

P.S: Karma Points are appreciated 😉

NightShark
Path Finder

Hello,

Thank you for your response, I have forwarded the issue towards Splunk Case to gain further insight.

Regards,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NightShark,

good idea, but I think that they will answer that you have to engage a Splunk Architetct or Professional Services because you haven't a bug.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...