Splunk Dev

How many indexer needed for my setup

lmjoin
Explorer

Hello ,

I have one setup one indexer and one splunk search head.
Indexer has 64 RAM and 16 CPU core and SH as 128 CPU and 32 core.
Indexing per day 25 to 30 GB only. On investigation found all queues for fill ration are full .
What should i do.

Thanks
Lalitalt text

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lmjoin,
RAM and CPUs are OK for your needs, probably the problem is related to the usual bottleneck in Splunk: storage.
As you can read Splunk refence hardware requires at least 800 IOPS (see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Referencehardware#Disk_subsystem ), you can measure IOPS using a tool like Bonnie++ ( sourceforge.net/projects/bonnie/ ).

Then you could check the load of your indexer using the monitoring console that can give you useful information.

Ciao.
Giuseppe

0 Karma

HiroshiSatoh
Champion

The processing capacity of the indexer is 300GB / Day.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Summaryofperformancerecommendations

Assuming that there is no problem with the performance of the hard disk,
The cause of queue clogging may take a long time to process one index.

server.conf
parallelIngestionPipelines = 2

The workaround is to do multiple processes. However, PS is required for more than 3 multiplexes.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Pipelinesets

※Run a health check to check for problems.

0 Karma

skalliger
Motivator

An indexer should be able to process way more data before any queues fill up. Take a look into the MC > Indexing > Data Quality dashboard. Do you see timestamping, line breaking or any other issues? You might want to look for any errors and warnings regarding getting your data in and go from there fixing the issues.

Also check whether your server got enough IOPS. Maybe do a test with bonnie++ to see whether you're meeting the 800+ minimum requirements.

Skalli

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...