Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How many indexer needed for my setup

lmjoin
Explorer
‎11-18-2019 04:57 AM

Hello ,

I have one setup one indexer and one splunk search head.
Indexer has 64 RAM and 16 CPU core and SH as 128 CPU and 32 core.
Indexing per day 25 to 30 GB only. On investigation found all queues for fill ration are full .
What should i do.

Thanks
Lalitalt text

Tags (1)
Preview file
105 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-18-2019 05:36 AM

Hi @lmjoin,
RAM and CPUs are OK for your needs, probably the problem is related to the usual bottleneck in Splunk: storage.
As you can read Splunk refence hardware requires at least 800 IOPS (see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Referencehardware#Disk_subsystem ), you can measure IOPS using a tool like Bonnie++ ( sourceforge.net/projects/bonnie/ ).

Then you could check the load of your indexer using the monitoring console that can give you useful information.

Ciao.
Giuseppe

0 Karma
Reply

HiroshiSatoh
Champion
‎11-18-2019 05:29 AM

The processing capacity of the indexer is 300GB / Day.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Summaryofperformancerecommendations

Assuming that there is no problem with the performance of the hard disk,
The cause of queue clogging may take a long time to process one index.

server.conf
parallelIngestionPipelines = 2

The workaround is to do multiple processes. However, PS is required for more than 3 multiplexes.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Pipelinesets

※Run a health check to check for problems.

0 Karma
Reply

skalliger
Motivator
‎11-18-2019 05:08 AM

An indexer should be able to process way more data before any queues fill up. Take a look into the MC > Indexing > Data Quality dashboard. Do you see timestamping, line breaking or any other issues? You might want to look for any errors and warnings regarding getting your data in and go from there fixing the issues.

Also check whether your server got enough IOPS. Maybe do a test with bonnie++ to see whether you're meeting the 800+ minimum requirements.

Skalli

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...