Hi guys (and girls),
we're planning to set up a Splunk Enterprise Security (ES) installation.
This will not be a productive environment. More like a showcase. We are planning to use an existing indexer cluster (no 16 cores and no 32 GB RAM) and just install the ES app on a new search head, which doesn't belong to our existing search head cluster.
The requirements say that both, ES indexers and ES search heads, require a total amount of 16 cores as well as 32 GB RAM.
Now my question: is it really required? Or is it also possible to set up a new search head with like 6 cores and 12 GB RAM? I highly doubt that my Splunk ES Cloud testing environment has 16 cores and 32 GB RAM.
It's not like there will be many people using that environment, it's just to get started with ES.
Because I don't think Splunk ES will actually check the system resources - what would you guys recommend for 2-3 active users doing some work on the search head?
Thanks for any help.
Skalli
I believe that ES actually does do some resource checking, and may complain. You can try to set up a smaller search head, and it may still work for a demo, although it wouldn't be a supported configuration. However, a lot of the magic of ES is created by the correlation searches running in the background. IIRC, there are at least 15 of them that need to be running pretty constantly.
Try to give the ES search head enough resources so that it can do a little more than just limp along. You might be able to switch some of the background searches from real-time to scheduled. You might also need to set schedule windows to prevent searches from being entirely skipped. Turn off any background searches that are not needed for your particular demo.
In the end, you might be able to demo features, but you could not demonstrate typical performance. So ES might not look like a very nice solution... that doesn't seem like a showcase to me. But that's just an opinion; you should experiment.
I believe that ES actually does do some resource checking, and may complain. You can try to set up a smaller search head, and it may still work for a demo, although it wouldn't be a supported configuration. However, a lot of the magic of ES is created by the correlation searches running in the background. IIRC, there are at least 15 of them that need to be running pretty constantly.
Try to give the ES search head enough resources so that it can do a little more than just limp along. You might be able to switch some of the background searches from real-time to scheduled. You might also need to set schedule windows to prevent searches from being entirely skipped. Turn off any background searches that are not needed for your particular demo.
In the end, you might be able to demo features, but you could not demonstrate typical performance. So ES might not look like a very nice solution... that doesn't seem like a showcase to me. But that's just an opinion; you should experiment.
Thank you for your answer. It's not like I don't want the ES servers to get enough ressources. It's more like with virtualisation these days, you need to argument about every vCPU and every GB of RAM you need in organisations.
I'd love to set-up a new ESXi cluster on my own and host it there with more than enough cores and RAM, but that's not what I do here. Sometimes you need to work with what you got.
I'll acceppt that as an answer because I just wanted some confirmation. Maybe I can argue better now to get all 16 cores and 32 GB RAM. Thanks again.