How do I scale my Splunk deployment to account for...

vanderaj2 · ‎09-14-2017

Hi Splunkers,

My program is considering adding 600 more Linux UF endpoints to our current Splunk deployment (we have ~450 total UF endpoints now), and they're asking for a "wish list" of resources to support the additional volume.

I have a pretty good idea of my licensing needs, and I've been using the Splunk online sizing tool to figure out how much additional disk capacity we need (based on our retention policies).

Is there also a good sizing tool or document out there to help me figure out whether I need to increase RAM/CPU on my indexers, and possibly add another indexer? (and maybe add another deployment server)

Just FYI - I currently have a 2 indexer cluster. Each indexer has 16 cores, 31 GB RAM

gjanders · ‎09-15-2017

somesoni2 has already linked to it but the Splunk Capacity Planning manual is what you want to refer to...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

DalJeanis · ‎09-14-2017

Did you mean another search head? A second deployment server doesn't seem to make sense in context.

somesoni2 · ‎09-14-2017

He may be asking as number of clients are increasing too. @vanderaj2,, you can see great discussion in this post to understand the H/W requirement and suggested Deployment client load for Deployment servers here.

vanderaj2 · ‎09-15-2017

Yep! that was exactly why I mentioned the deployment server. That discussion thread was very helpful -- thank you somesoni2!

somesoni2 · ‎09-14-2017

This may help. http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Summaryofperformancerecommendations

vanderaj2 · ‎09-15-2017

Very helpful!! Thank you sir.

How do I scale my Splunk deployment to account for rising demand in indexing volume?

license

other

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?