Installation

Can anyone suggest a typical Splunk Enterprise implementation for an organization?

thakarpratik
Engager

I am a newbie at Splunk and am splunking, learning my way through the tutorials and practicing, but I want to know would be a typical Splunk implementation infrastructure in a real organization.

Example:
How many servers, how many forwarders, how many indexers, how many search heads?

From how many sources can data come in, what are the servers where Splunk Enterprise needs to be installed, and is this commonly used on Linux or Windows servers?

I would really appreciate any input

Labels (1)
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Hey @thakarpratik, welcome to Splunk Answers!

This can vary greatly depending on the size of the organization and what you're using it for. We index around 150GB/day and have a few hundred servers that Splunk is installed on. We use all Universal Forwarders to send our data and have 2 separate indexers serving a dev and production Splunk environment. My advice is to start small and find problems that Splunk can solve. Our first big win with Splunk was when we got visibility into why our web service calls we're slow a few hours each day. We then started solving more problems and getting more buy-in. Splunk's pricing model is by how much data you index per day

I think you're off to a great start by reading tutorials and learning what Splunk is and what it can do. If you want to bring yourself to the next level, then you should sign up for a free Amazon Web Services account and spin up some remote servers. It's very easy to do and you have the ability to choose what OS you want to use for each server, so you could have 10 Linux servers and 10 Windows servers running at one time. I then recommend installing Splunk Lite (Free version) on your local computer and this will act as your indexer. You should then install forwarders on the remote machines and point them to your indexer and watch the data flow into Splunk. After manually installing dozens of forwarders, you should then learn how the deployment server works.

I would also recommend you learn how to use regular expressions.. This gives you the ability to extract fields and use them in a search which can be very powerful. You can go to www.regex101.com and become a pro within a month

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Hey @thakarpratik, welcome to Splunk Answers!

This can vary greatly depending on the size of the organization and what you're using it for. We index around 150GB/day and have a few hundred servers that Splunk is installed on. We use all Universal Forwarders to send our data and have 2 separate indexers serving a dev and production Splunk environment. My advice is to start small and find problems that Splunk can solve. Our first big win with Splunk was when we got visibility into why our web service calls we're slow a few hours each day. We then started solving more problems and getting more buy-in. Splunk's pricing model is by how much data you index per day

I think you're off to a great start by reading tutorials and learning what Splunk is and what it can do. If you want to bring yourself to the next level, then you should sign up for a free Amazon Web Services account and spin up some remote servers. It's very easy to do and you have the ability to choose what OS you want to use for each server, so you could have 10 Linux servers and 10 Windows servers running at one time. I then recommend installing Splunk Lite (Free version) on your local computer and this will act as your indexer. You should then install forwarders on the remote machines and point them to your indexer and watch the data flow into Splunk. After manually installing dozens of forwarders, you should then learn how the deployment server works.

I would also recommend you learn how to use regular expressions.. This gives you the ability to extract fields and use them in a search which can be very powerful. You can go to www.regex101.com and become a pro within a month

thakarpratik
Engager

Thank you @skoelpin - apologies for the late response -
Your answer does make sense.

About your suggestion for signing up or free AWS tier- If i install like 10 instances on Amazon AWS for linux ,and than install Splunk Forwarders, would it not consume my free AWS limit?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Correct, the AWS free tier gives you 750 instance hours per month. So if you run 10 servers for 24 hours then you will consume 240 instance hours per day. If you run 1 instance 24 hours per day for 1 day then you will run 24 instance hours in one day. So you can spin up those servers for a few hours a day to practice on but you would quickly lose your time before the month is up.

If I answered your question, can you please accept the answer. If not then feel free to keep asking questions, I'm happy to help!

0 Karma

MuS
Legend

Hi thakarpratik,

this can only be answered by yourself, because it is all related to your use case and your used data.
Here is a good starting point http://docs.splunk.com/Documentation/Splunk/6.4.2/Capacity/ComponentsofaSplunkEnterprisedeployment and to answer one question at least: run it on Linux if you can choose your OS 😉

If you still struggle, there are plenty of Splunk partners and also Splunk PS available to support you with your first Splunk built.

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...