Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Enterprise Security Indexer Sizing for High Capacity Deployment on high IOPS storage

scelikok
SplunkTrust
SplunkTrust
‎12-28-2016 06:55 AM

On all documentations says, indexer planning should be done using 100 GB/day for Enterprise Security . According to these calculation, on a large project minimum 50 indexers needed to index 5TB/day , 100K EPS log data. This also requires too many servers.

My question is what is the relation between disk IOPS and indexer capacity. We know more IOPS means more indexing power.

i.e. if we calculate linearly 100 GB/day for 800 IOPS --> 1 TB/day for 8000 IOPS make sense?

If we use a disk system with 40K IOPS, how can we estimate the indexer count with 30 concurrent searches?

Thank you,

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎01-05-2017 12:33 PM

Indexer scaling is about balancing sufficient CPU cores to handle search requests and data parsing, while maintaining plentiful IOPS to service I/O requests in a timely manner. I suggest reaching out to your Splunk Sales Engineer, and arrange for a chat with a PS Architect resource to help evaluate your requirements.

Current ES scale-testing notes focus on data volume per day, per datamodel, per indexer. So depending upon the data sources/use-cases, maintaining low datamodel latency on an indexer at a given data volume per day might require more IOPS, CPU cores, and some configuration tuning.

0 Karma
Reply

aalgur
New Member
‎01-06-2017 05:09 AM

I could not see the answers of the questions above.

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎01-06-2017 09:59 AM

I suggest reaching out to your Splunk Sales Engineer, and arrange for a chat with a PS Architect resource to help evaluate your requirements.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...