Installation

How do I scale my Splunk deployment to account for rising demand in indexing volume?

vanderaj2
Path Finder

Hi Splunkers,

My program is considering adding 600 more Linux UF endpoints to our current Splunk deployment (we have ~450 total UF endpoints now), and they're asking for a "wish list" of resources to support the additional volume.

I have a pretty good idea of my licensing needs, and I've been using the Splunk online sizing tool to figure out how much additional disk capacity we need (based on our retention policies).

Is there also a good sizing tool or document out there to help me figure out whether I need to increase RAM/CPU on my indexers, and possibly add another indexer? (and maybe add another deployment server)

Just FYI - I currently have a 2 indexer cluster. Each indexer has 16 cores, 31 GB RAM

Labels (2)
0 Karma

gjanders
SplunkTrust
SplunkTrust

somesoni2 has already linked to it but the Splunk Capacity Planning manual is what you want to refer to...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Did you mean another search head? A second deployment server doesn't seem to make sense in context.

0 Karma

somesoni2
Revered Legend

He may be asking as number of clients are increasing too. @vanderaj2,, you can see great discussion in this post to understand the H/W requirement and suggested Deployment client load for Deployment servers here.

0 Karma

vanderaj2
Path Finder

Yep! that was exactly why I mentioned the deployment server. That discussion thread was very helpful -- thank you somesoni2!

0 Karma

somesoni2
Revered Legend
0 Karma

vanderaj2
Path Finder

Very helpful!! Thank you sir.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...