Partitioning

sullivans · ‎06-19-2013

Greetings,

I'm setting up Splunk on a Windows Server 2008 box with a 8 drives in a RAID 10. I am curious if it is better to use a single disk partition or if there is an advantage to breaking up the drives into 2 partitions (one for the OS/Apps and one for data).

Splunk documentation seems to indicate a single disk partition is preferred. This is an excerpt :

Splunk can use multiple disks and
partitions for its index data. It's
possible to configure Splunk to use
many disks/partitions/filesystems on
the basis of multiple indexes and
bucket types, so long as you mount
them correctly and point to them
properly from indexes.conf. However,
we recommend that you use a single
high performance file system to hold
your Splunk index data for the best
experience.

Is there any advantage of using two disk partitions over one?

Thanks!

hsesterhenn_spl · ‎11-16-2015

Hi,
Splunk does not enforce or recommend a specific partitioning.

Usually from an operations point of view you seperate operating system stuff from data.

So create a single RAID1 for OS+Splunk basic stuff and put the indexes on a seperate RAID10 which is able to deliver 800IOPS+.

http://docs.splunk.com/Documentation/Splunk/latest/Capacity/IntroductiontocapacityplanningforSplunkE...

HTH,

Holger

Partitioning

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases