Monitoring Splunk

Using RDM vs VMFS for Virtual Machines

richnavis
Contributor

Our shop virtualizes everything, including our splunk deployment. We are now looking at re-architecting our solution because of performance problems due to some design flaws we made the first time around. We will continue to virtualize, but are debating about whether to continue to use vmfs volumes, or switch to RDMs. I found a comments on the splunk site supporting the use of RDM, but VMWARE docs indicate that the performance of these two file systems are nearly equal. Does anyone know if the reccommendations for RDM is out of date? Has anyone recently tested the performance differences between these two?

1 Solution

lguinn2
Legend

RDM can make a very positive difference for Splunk performance, especially IF

  • The underlying physical volume is on the physical server (ie, a local disk, not SAN or NFS)
  • the volume is RAID 1+0 not RAID 5

These things won't make a difference for most VMs, hence VMWare's generic recommendation. But anything you can do to improve IO speed will make corresponding improvements in Splunk performance.

Use a tool like iometer or bonnie++ to check your IO per second. Splunk recommends 800 IOPS for good indexer performance.

Sorry that I don't have hard numbers for you regarding performance.

View solution in original post

melonman
Motivator

Yes, Iguinn's comment is correct.

There is a Splunk doc about RDM

http://docs.splunk.com/index.php?title=Community:SplunkOnVirtualMachines

-- Copied from SplunkOnVirtualMachines
Raw Device Mapping (RDM) is a technique by which a raw Logical Unit Number (LUN), local or remote, can be aliased to a VMDK file on a VMFS partition. The net effect is direct access to the LUN being aliased. Think of this as literally creating a symlink on a VMFS filesystem that points to raw storage.
RDM can deliver sequential read and write benefits that include slightly greater IOps, lower overhead, and also benefits when working with block sizes smaller than 32kb.
For indexing volumes < 25 GB per day, indexing to VMDK should function well For indexing volumes > 25 GB per day, RDM should be used.

lguinn2
Legend

RDM can make a very positive difference for Splunk performance, especially IF

  • The underlying physical volume is on the physical server (ie, a local disk, not SAN or NFS)
  • the volume is RAID 1+0 not RAID 5

These things won't make a difference for most VMs, hence VMWare's generic recommendation. But anything you can do to improve IO speed will make corresponding improvements in Splunk performance.

Use a tool like iometer or bonnie++ to check your IO per second. Splunk recommends 800 IOPS for good indexer performance.

Sorry that I don't have hard numbers for you regarding performance.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...