Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ITSI Requirement

ramprakash
Explorer
‎07-04-2019 10:28 AM

Hello Splunkers.. I need urgent assistance in setting up Splunk ITSI. Our current Infrastructure is a distributed one running on Splunk version 6.0.1.

Present Infrastructure where Splunk 6.0.1 is present:-

Two indexers - RAM 16 GB, CPU 12 CORES

Two search heads(SHP) - RAM 16 GB, CPU 12 CORES

One Cluster master - RAM 16 GB, CPU 12 CORES

We want to install Splunk ITSI and for that we have ordered completely new VM which will behave as a dedicated Search head for ITSI. Can someone please clarify my doubts:-

1) For 100-200 KPIs the VM I ordered has specs RAM 32 GB, CPU 16 CORES, Disc 500 GB
Also i will upgrade present Indexers specs to RAM 32 GB, CPU 16 CORES.
2) Version upgrade. Can we run Splunk ITSI search head on version 7.1.x and what minimum version we need to upgrade for present Indexer, Search heads and CM.
3) We dontt want to load Search heads so thats why we have ordered new VM as dedicated search head. Is it good approach ?

Thanks,
Ramprakash

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-04-2019 12:14 PM

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-04-2019 12:14 PM

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ramprakash
Explorer
‎07-04-2019 01:00 PM

Thanks for the assistance.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...