We are deploying Enterprise Security for various clients on AWS, and are in the planning phase. I am attempting to create reference documentation that would contain the minimum instance type and number of instances per deployment, with a more granular breakdown in terms of capacity.
We also want to provide the following in all deployments:
- HA/DR (somewhat) - So the deployment would contain of a multi-site indexer cluster as well as a search head cluster
- Monitoring Console,Deployment server where neccesary but reduce need for extra instances so group roles where possible (I chose License manager + Deployer and Cluster master node + Deployment Server + Monitoring Console
- Searching of up to around 8-16 users
- Use of smart store for indexer storage
- Use smallest possible instances where possible
- Mainly used for ES
- Hopefully utilize placement groups, kubernetes and other services on cloud in the future when supported by splunk (believe this is soon)
I am also aware that:
- Each deployment/client will be different even if they have the same ingestion rate
- Splunk recommendations have pretty big gaps e.g 2-300GB is 1 SH and 1Indexer whereas I am trying to break it down a bit more like 25-50, 50-100,100-300, 300-600, etc
- Instance types , and prices change..again this is just for reference
Has anyone done something similar?
