Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sizing a Splunk installation- and a license question too.

Branden
Builder
‎12-01-2010 03:50 PM

We're considering moving our Splunk environment from AIX to a Linux x86 box for performance reasons. My particular department uses a tiny 500 MB license (carved out of a larger license).

We do not plan to move the index to Linux as that is not easy to do, or so I am told (otherwise we'd love to do that). So it was suggested that I use the new Linux box as the indexer, and I can access the older data on the AIX box.

I have two questions:

1) All new data will be going to the new Linux box. Do I still need to have a paid license on the old indexer? It won't be indexing new info, just providing old info as needed. If I need a license on both boxes, can licenses be carved out in increments smaller than 500 MB?

2) Given our relatively small load (up to 500 MB a day, but could double in the next year), what is a reasonable configuration for a Linux server? The docs have sizing suggestions for large environments, but I don't see much in the way of small environments. I was thinking two CPUs and 4 GBs...

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-01-2010 04:15 PM

You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.

If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).

You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.

As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-01-2010 04:15 PM

You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.

If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).

You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.

As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎12-01-2010 09:00 PM

You'd need an Enterprise license on the AIX box, but the free Forwarder license should count -- it's basically an Enterprise license with a minuscule indexing cap.

0 Karma
Reply
Solved! Jump to solution

Branden
Builder
‎12-01-2010 06:46 PM

Appreciate the feedback!
If I configure distributed search, I should not need a license on the AIX box, right?
Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...