Splunk Enterprise

Capacity planning best practices for Splunk Enterprise?

adukes_splunk
Splunk Employee
Splunk Employee

I'm looking for resources to help plan my deployment. Does anyone have capacity planning best practices for Splunk Enterprise?

0 Karma
1 Solution

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Take a load off!

Capacity planning with Splunk isn't so straightforward. Got slow indexing? Add indexers. Got slow searching? Add indexers! I bet you weren't expecting that answer.

How capacity planning helps you scale your deployment

Best practices for capacity planning are to size the environment to the near-max, not the average load (unless you want to be wrong half the time). The Monitoring Console, available to admin users, contains a set of dashboards to provide insight into your deployment’s indexing and search performance, licensing, and OS resource usage. Let’s focus on the resource usage dashboards since this relates directly to pure system load and can be useful for capacity planning.
For information about the Monitoring Console in Splunk Cloud, see monitor Splunk Cloud deployment health in the Splunk Cloud User Manual.

Things to know

Capacity planning is not easy so don’t hesitate to contact Splunk for guidance on complex deployments.The Splunk Enterprise Capacity Planning Manual contains a lot of detail about hardware capacity planning and how to scale your Splunk Enterprise deployment, so while it’s important to understand how to apply these strategies, also read about the Monitoring Console and familiarize yourself with this monitoring tool to view topology and performance information.

Review and consider the following items as you plan your deployment:

The Splunk First 90 Days Program does not offer guidance on deployment technologies or deployment sizing because there are too many options to consider. For more information about architecture design, review the sample topologies in the Splunk Validated Architectures white paper to find repeatable topologies you can align with.

Things to do

  • Find highs and lows. Use the resource usage dashboards on the Monitoring Console to identify the times during the day your data load is at it's highest and lowest. Use those numbers to determine the total capacity for your deployment.
  • Lighten the data load. What's the total and average indexing performance? Consult the resource usage dashboards to look for indexing pipelines bottlenecks.

View solution in original post

0 Karma

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Take a load off!

Capacity planning with Splunk isn't so straightforward. Got slow indexing? Add indexers. Got slow searching? Add indexers! I bet you weren't expecting that answer.

How capacity planning helps you scale your deployment

Best practices for capacity planning are to size the environment to the near-max, not the average load (unless you want to be wrong half the time). The Monitoring Console, available to admin users, contains a set of dashboards to provide insight into your deployment’s indexing and search performance, licensing, and OS resource usage. Let’s focus on the resource usage dashboards since this relates directly to pure system load and can be useful for capacity planning.
For information about the Monitoring Console in Splunk Cloud, see monitor Splunk Cloud deployment health in the Splunk Cloud User Manual.

Things to know

Capacity planning is not easy so don’t hesitate to contact Splunk for guidance on complex deployments.The Splunk Enterprise Capacity Planning Manual contains a lot of detail about hardware capacity planning and how to scale your Splunk Enterprise deployment, so while it’s important to understand how to apply these strategies, also read about the Monitoring Console and familiarize yourself with this monitoring tool to view topology and performance information.

Review and consider the following items as you plan your deployment:

The Splunk First 90 Days Program does not offer guidance on deployment technologies or deployment sizing because there are too many options to consider. For more information about architecture design, review the sample topologies in the Splunk Validated Architectures white paper to find repeatable topologies you can align with.

Things to do

  • Find highs and lows. Use the resource usage dashboards on the Monitoring Console to identify the times during the day your data load is at it's highest and lowest. Use those numbers to determine the total capacity for your deployment.
  • Lighten the data load. What's the total and average indexing performance? Consult the resource usage dashboards to look for indexing pipelines bottlenecks.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...