- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Using RDM vs VMFS for Virtual Machines
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our shop virtualizes everything, including our splunk deployment. We are now looking at re-architecting our solution because of performance problems due to some design flaws we made the first time around. We will continue to virtualize, but are debating about whether to continue to use vmfs volumes, or switch to RDMs. I found a comments on the splunk site supporting the use of RDM, but VMWARE docs indicate that the performance of these two file systems are nearly equal. Does anyone know if the reccommendations for RDM is out of date? Has anyone recently tested the performance differences between these two?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDM can make a very positive difference for Splunk performance, especially IF
- The underlying physical volume is on the physical server (ie, a local disk, not SAN or NFS)
- the volume is RAID 1+0 not RAID 5
These things won't make a difference for most VMs, hence VMWare's generic recommendation. But anything you can do to improve IO speed will make corresponding improvements in Splunk performance.
Use a tool like iometer or bonnie++ to check your IO per second. Splunk recommends 800 IOPS for good indexer performance.
Sorry that I don't have hard numbers for you regarding performance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Iguinn's comment is correct.
There is a Splunk doc about RDM
http://docs.splunk.com/index.php?title=Community:SplunkOnVirtualMachines
-- Copied from SplunkOnVirtualMachines
Raw Device Mapping (RDM) is a technique by which a raw Logical Unit Number (LUN), local or remote, can be aliased to a VMDK file on a VMFS partition. The net effect is direct access to the LUN being aliased. Think of this as literally creating a symlink on a VMFS filesystem that points to raw storage.
RDM can deliver sequential read and write benefits that include slightly greater IOps, lower overhead, and also benefits when working with block sizes smaller than 32kb.
For indexing volumes < 25 GB per day, indexing to VMDK should function well For indexing volumes > 25 GB per day, RDM should be used.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDM can make a very positive difference for Splunk performance, especially IF
- The underlying physical volume is on the physical server (ie, a local disk, not SAN or NFS)
- the volume is RAID 1+0 not RAID 5
These things won't make a difference for most VMs, hence VMWare's generic recommendation. But anything you can do to improve IO speed will make corresponding improvements in Splunk performance.
Use a tool like iometer or bonnie++ to check your IO per second. Splunk recommends 800 IOPS for good indexer performance.
Sorry that I don't have hard numbers for you regarding performance.
Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...
Enterprise Security Content Update (ESCU) | New Releases
Index This | Divide 100 by half. What do you get?
