I assume that you really mean that you have:

• SSD: Splunk home directory, including etc and var; hot and warm for defaultdb
• Spinning disk: cold for defaultdb; all other indexes

It would be helpful to know where your OS and OS page file are located. I assume the OS is probably on the SSD, but do not know about the page file.

It would also help to know the complete index configuration specifically of defaultdb and what, e.g., the number of buckets and bucket sizes are.

SSD realistically won't provide significant performance gains at runtime for the OS and Splunk executables, since those will in all likelihood be served from RAM.

For write-intensive applications, most SSDs are slower than conventional hard disks. Splunk's var directory and the hot/warm volume is very write-intensive, with a mix of sequential and random writes. I also suspect that under Windows 2003, it would be a bad idea to have the page file on SSD.

Try to check this link out if you haven't yet. I haven't tried testing a splunk instance on Windows yet (all Linux)... but hopefully this will push you to some answers.

http://www.splunk.com/base/Documentation/latest/Installation/CapacityplanningforalargerSplunkdeploym...

I guess it all comes down to how much your daily indexing quota might be. Also not sure if you are running this one instance to serve both as a web server and an indexer.

That might be an issue with you current specs. While you meet the minimals, bigger is always better depending on the amount of data you index and the amount of searching you will need to be doing.

Let me know if this answers your question.

Brian