Splunk IT Service Intelligence

Splunk ITSI Requirement

ramprakash
Explorer

Hello Splunkers.. I need urgent assistance in setting up Splunk ITSI. Our current Infrastructure is a distributed one running on Splunk version 6.0.1.

Present Infrastructure where Splunk 6.0.1 is present:-

Two indexers - RAM 16 GB, CPU 12 CORES

Two search heads(SHP) - RAM 16 GB, CPU 12 CORES

One Cluster master - RAM 16 GB, CPU 12 CORES

We want to install Splunk ITSI and for that we have ordered completely new VM which will behave as a dedicated Search head for ITSI. Can someone please clarify my doubts:-

1) For 100-200 KPIs the VM I ordered has specs RAM 32 GB, CPU 16 CORES, Disc 500 GB
Also i will upgrade present Indexers specs to RAM 32 GB, CPU 16 CORES.
2) Version upgrade. Can we run Splunk ITSI search head on version 7.1.x and what minimum version we need to upgrade for present Indexer, Search heads and CM.
3) We dontt want to load Search heads so thats why we have ordered new VM as dedicated search head. Is it good approach ?

Thanks,
Ramprakash

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

ramprakash
Explorer

Thanks for the assistance.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!