Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sizing a Splunk installation- and a license question too.

Branden
Builder
‎12-01-2010 03:50 PM

We're considering moving our Splunk environment from AIX to a Linux x86 box for performance reasons. My particular department uses a tiny 500 MB license (carved out of a larger license).

We do not plan to move the index to Linux as that is not easy to do, or so I am told (otherwise we'd love to do that). So it was suggested that I use the new Linux box as the indexer, and I can access the older data on the AIX box.

I have two questions:

1) All new data will be going to the new Linux box. Do I still need to have a paid license on the old indexer? It won't be indexing new info, just providing old info as needed. If I need a license on both boxes, can licenses be carved out in increments smaller than 500 MB?

2) Given our relatively small load (up to 500 MB a day, but could double in the next year), what is a reasonable configuration for a Linux server? The docs have sizing suggestions for large environments, but I don't see much in the way of small environments. I was thinking two CPUs and 4 GBs...

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-01-2010 04:15 PM

You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.

If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).

You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.

As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎12-01-2010 04:15 PM

You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.

If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).

You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.

As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎12-01-2010 09:00 PM

You'd need an Enterprise license on the AIX box, but the free Forwarder license should count -- it's basically an Enterprise license with a minuscule indexing cap.

0 Karma
Reply
Solved! Jump to solution

Branden
Builder
‎12-01-2010 06:46 PM

Appreciate the feedback!
If I configure distributed search, I should not need a license on the AIX box, right?
Thanks again!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...