Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

concurrent users and hardware scaling

sdevadas
Path Finder
‎04-21-2011 10:10 AM

Hi,

I had a question about hardware scaling.

Our current setup:
1 search head: Intel Xeon 2.54GHZ 4 processors, 8 GB RAM, 64 bit windows 2008
2 indexers, splunkweb disabled:
a. Intel Xeon 2.54GHZ 4 processors, 8 GB RAM, 64 bit windows 2003
b. Intel Xeon 2.54GHZ 4 processors, 8 GB RAM, 64 bit windows 2008

We index around 2GB of data everyday currently and this is not a problem. Most of the data comes in from windows universal forwarders from about 150 hosts, and a few unix/appliance syslogs. We will be increasing this to around 4GB per day in the near future.

However more users are now using Splunk to do their queries, recently I had a user complain that real time searches were not performing well. Our users are familiar with Splunk and avoid doing searches over all indexes over all time etc.

We currently have around 15 concurrent users, and this might be going up to around 30 users in the future. I was wondering if our current search head/indexers hardware is enough to handle our user searches, or we need to add more.

For this scenario, would there a need to add more hardware i.e.
1. More memory to the indexers and/or search heads
2. More indexers and/or search heads

I went over http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...
but was not able to come up with a definite answer myself.

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎04-21-2011 04:11 PM

the issue is less about concurrent users, and more about concurrent searches:

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

there is a table here with recommendations, and a detailed discussion with an example scenario.

the tl;dr of the section is that if you want search performance to improve, ensure that there are as many cores available to the search process as possible.

"The lesson here is to add indexers. Doing so reduces the load on any system from indexing, to free cores for search. Also, since the performance of almost all types of search scale with the number of indexers, searches will be faster, which mitigates the effect of slowness from resource sharing."

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎04-21-2011 04:11 PM

the issue is less about concurrent users, and more about concurrent searches:

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

there is a table here with recommendations, and a detailed discussion with an example scenario.

the tl;dr of the section is that if you want search performance to improve, ensure that there are as many cores available to the search process as possible.

"The lesson here is to add indexers. Doing so reduces the load on any system from indexing, to free cores for search. Also, since the performance of almost all types of search scale with the number of indexers, searches will be faster, which mitigates the effect of slowness from resource sharing."

Reply
Solved! Jump to solution

adamw
Communicator
‎04-22-2011 05:11 AM

I agree with piebob, we've found in our deployment that adding indexers and doing load balancing and distributed search significantly improves index and search performance.

Basically search heads are CPU intensive, while indexers are memory intensive. So plan accordingly, but scaling indexers will give you your most bang for your buck, imho.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...