Splunk IT Service Intelligence

Splunk ITSI Requirement

ramprakash
Explorer

Hello Splunkers.. I need urgent assistance in setting up Splunk ITSI. Our current Infrastructure is a distributed one running on Splunk version 6.0.1.

Present Infrastructure where Splunk 6.0.1 is present:-

Two indexers - RAM 16 GB, CPU 12 CORES

Two search heads(SHP) - RAM 16 GB, CPU 12 CORES

One Cluster master - RAM 16 GB, CPU 12 CORES

We want to install Splunk ITSI and for that we have ordered completely new VM which will behave as a dedicated Search head for ITSI. Can someone please clarify my doubts:-

1) For 100-200 KPIs the VM I ordered has specs RAM 32 GB, CPU 16 CORES, Disc 500 GB
Also i will upgrade present Indexers specs to RAM 32 GB, CPU 16 CORES.
2) Version upgrade. Can we run Splunk ITSI search head on version 7.1.x and what minimum version we need to upgrade for present Indexer, Search heads and CM.
3) We dontt want to load Search heads so thats why we have ordered new VM as dedicated search head. Is it good approach ?

Thanks,
Ramprakash

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

ramprakash
Explorer

Thanks for the assistance.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...