Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk ITSI Requirement

ramprakash
Explorer
‎07-04-2019 10:28 AM

Hello Splunkers.. I need urgent assistance in setting up Splunk ITSI. Our current Infrastructure is a distributed one running on Splunk version 6.0.1.

Present Infrastructure where Splunk 6.0.1 is present:-

Two indexers - RAM 16 GB, CPU 12 CORES

Two search heads(SHP) - RAM 16 GB, CPU 12 CORES

One Cluster master - RAM 16 GB, CPU 12 CORES

We want to install Splunk ITSI and for that we have ordered completely new VM which will behave as a dedicated Search head for ITSI. Can someone please clarify my doubts:-

1) For 100-200 KPIs the VM I ordered has specs RAM 32 GB, CPU 16 CORES, Disc 500 GB
Also i will upgrade present Indexers specs to RAM 32 GB, CPU 16 CORES.
2) Version upgrade. Can we run Splunk ITSI search head on version 7.1.x and what minimum version we need to upgrade for present Indexer, Search heads and CM.
3) We dontt want to load Search heads so thats why we have ordered new VM as dedicated search head. Is it good approach ?

Thanks,
Ramprakash

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-04-2019 12:14 PM

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-04-2019 12:14 PM

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ramprakash
Explorer
‎07-04-2019 01:00 PM

Thanks for the assistance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...