Solved: Recommended Virtual Machine Sizes for Search Head ...

aelliott · ‎03-04-2014

Does this seem like a good setup for a dedicated Search head, indexer for a virtualized Splunk?

Search Head
- 8 core 16 GB Ram

Indexer
- 8 core 8 GB Ram 1 TB Hard Drive

We will have approximately 3 concurrent users at a given time, and a throughput of 10 GB/day

martin_mueller · ‎03-05-2014

Yeah, that looks better. I'm not 100% certain if 16/8 memory distribution is better than 12/12, but changing that is not going to have an enormous impact. More is always better of course, but you should be fine for a pedestrian 10GB/day...

View solution in original post

martin_mueller · ‎03-05-2014

Yeah, that looks better. I'm not 100% certain if 16/8 memory distribution is better than 12/12, but changing that is not going to have an enormous impact. More is always better of course, but you should be fine for a pedestrian 10GB/day...

aelliott · ‎03-19-2014

finally have the power to convert to answer 🙂 Thanks for your help martin.

ChrisG · ‎03-04-2014

Bear in mind that indexing performance is about 30% slower on a virtual machine. Search performance is about equivalent to physical hardware.

aelliott · ‎03-04-2014

I have modified my post, does that look much better?

martin_mueller · ‎03-04-2014

I'd swap the cores around, giving the search head more oomph.

Recommended Virtual Machine Sizes for Search Head and Indexer

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk