I've got a couple of questions with regards to Enterprise Security, PCI and Search Head Clustering. We are initially going to be indexing 200GB/day but this will definitely grow beyond that within the next 2 years or so:
Hey there J,
Hey there J,
Just a note on #4. For your deployer, which doesn't do a whole lot resource wise, there is no problem having two splunk instances on one server. eg /opt/splunk-ES and /opt/splunk-non-ES. This may save you paying for two servers, but you will still have two separate deployer instances
Thanks for your quick answer. It makes perfect sense but just to gather a second opinion on this topic too. Given that Search Head Clustering helps distributing the load across your Search Heads, is there still any real reason to keep ES on a dedicated Search Head (or Search Head Clustering)?
If we decided to go for 6 Search Heads, all of them part of the same SHC, all of them running ES, all them used for any production-related task, shouldn't that be perfectly doable and would require a less complex and easy to maintain deployment?
My thinking process is very simple: increasing the number of SHs running ES will reduce the load ES generates per SH and therefore allow that extra capacity to be used for something else.
It is possible to run into problems with other apps installed on an ES Search Head that are not CIM compliant, that is, they may have different field mappings that are incorrect, and would cause ES to misbehave, or, on the flip side, you might have ES configs that cause problems for the other apps you are trying to use.
For a lot of customers, they have non-CIM apps that they want to use, so they end up having an "ad-hoc" SH that they use for other apps. You are correct, the more SH in the SHC, the more spread the load (saves searches and ad-hoc).