Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Recommended Virtual Machine Sizes for Search Head and Indexer

aelliott
Motivator
‎03-04-2014 11:55 AM

Does this seem like a good setup for a dedicated Search head, indexer for a virtualized Splunk?

Search Head
- 8 core 16 GB Ram

Indexer
- 8 core 8 GB Ram 1 TB Hard Drive

We will have approximately 3 concurrent users at a given time, and a throughput of 10 GB/day

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-05-2014 12:07 AM

Yeah, that looks better. I'm not 100% certain if 16/8 memory distribution is better than 12/12, but changing that is not going to have an enormous impact. More is always better of course, but you should be fine for a pedestrian 10GB/day...

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-05-2014 12:07 AM

Yeah, that looks better. I'm not 100% certain if 16/8 memory distribution is better than 12/12, but changing that is not going to have an enormous impact. More is always better of course, but you should be fine for a pedestrian 10GB/day...

Reply
Solved! Jump to solution

aelliott
Motivator
‎03-19-2014 12:44 PM

finally have the power to convert to answer 🙂 Thanks for your help martin.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎03-04-2014 04:09 PM

Bear in mind that indexing performance is about 30% slower on a virtual machine. Search performance is about equivalent to physical hardware.

Reply
Solved! Jump to solution

aelliott
Motivator
‎03-04-2014 01:58 PM

I have modified my post, does that look much better?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-04-2014 01:34 PM

I'd swap the cores around, giving the search head more oomph.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...