Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Enterprise Security Indexer Sizing for High Capacity Deployment on high IOPS storage

scelikok
SplunkTrust
SplunkTrust
‎12-28-2016 06:55 AM

On all documentations says, indexer planning should be done using 100 GB/day for Enterprise Security . According to these calculation, on a large project minimum 50 indexers needed to index 5TB/day , 100K EPS log data. This also requires too many servers.

My question is what is the relation between disk IOPS and indexer capacity. We know more IOPS means more indexing power.

i.e. if we calculate linearly 100 GB/day for 800 IOPS --> 1 TB/day for 8000 IOPS make sense?

If we use a disk system with 40K IOPS, how can we estimate the indexer count with 30 concurrent searches?

Thank you,

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎01-05-2017 12:33 PM

Indexer scaling is about balancing sufficient CPU cores to handle search requests and data parsing, while maintaining plentiful IOPS to service I/O requests in a timely manner. I suggest reaching out to your Splunk Sales Engineer, and arrange for a chat with a PS Architect resource to help evaluate your requirements.

Current ES scale-testing notes focus on data volume per day, per datamodel, per indexer. So depending upon the data sources/use-cases, maintaining low datamodel latency on an indexer at a given data volume per day might require more IOPS, CPU cores, and some configuration tuning.

0 Karma
Reply

aalgur
New Member
‎01-06-2017 05:09 AM

I could not see the answers of the questions above.

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎01-06-2017 09:59 AM

I suggest reaching out to your Splunk Sales Engineer, and arrange for a chat with a PS Architect resource to help evaluate your requirements.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...