Installation

License suggestion

VijaySrrie
Builder

Hi,

For a very large environment what would be the license requirement?
How many Search Heads, Indexers, Forwarders required and what are all the other components required?

Labels (3)
0 Karma

ivanreis
Builder

It is hard to determine what is the correct hardware specifications without know your use cases. As commented, the best thing to do is to contact the Splunk Sales Engineering to run an assessment in your environment to identify your needs and the amount of data for daily ingestion.
A lot of aspects have to be considered like:
- Virtual/Physical Hardware
- The amount of data to be indexed
- Which are the source types to be indexed(windows log, linux log, Network Devices, Security logs, Database connections, and others)
- Data Retention
- How many users to login/run adhoc/scheduled reports
- Splunk apps to be installed in your environment, also have a different impact on performance and disk storage as well.
- Is single/multi-site cluster required?
- Is Disaster recovery topology required?

Here are some documents where can assist you to have a reference for high volume of data processing:
- Hardware specification -> https://docs.splunk.com/Documentation/Splunk/8.0.1/Capacity/Referencehardware
- How search types affect Splunk Enterprise performance -> https://docs.splunk.com/Documentation/Splunk/8.0.1/Capacity/HowsearchtypesaffectSplunkEnterpriseperf...
- How Splunk Enterprise calculates disk storage ->https://docs.splunk.com/Documentation/Splunk/8.0.1/Capacity/HowSplunkcalculatesdiskstorage
- Disk sizing -> https://splunk-sizing.appspot.com/
- How concurrent users and searches impact performance ->https://docs.splunk.com/Documentation/Splunk/8.0.1/Capacity/Accommodatemanysimultaneoussearches
- Expected performance and known limitations of real-time searches and reports -> https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/Realtimeperformanceandlimitations

So for those reasons, I strongly recommend to involve Splunk Sales Engineering on this case in order to map your needs and also better estimate the license, hardware, apps and storage. I hope these documents can better assist you to understand how you can size your environment to have a good conversation with Splunk.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Licenses specify how much external data you can index per day and not the size of the environment (though one of the factor for setting up larger environment is amount of index data indexed). So find out how much total data you will index per day (and may be add some buffer) and use that data to arrive at license requirement. See this link for more information on licensing:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/HowSplunklicensingworks

Regarding all the components of your Splunk deployment and their sizing, read through Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.0.1/Capacity/IntroductiontocapacityplanningforSplunkE...) . There are various factors in planning the topology and sizing.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

It depends on many factors. I do not work for Splunk but I'll suggest to discuss this with Splunk Sales and they will guide you.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...