Splunk Search

Installing SPLUNK in SAN

eantonio
Path Finder

We use NetApp in our environment. Do you recommend creating two separate volumes for SPLUNK installation. First volume (with 1 LUN) to hold the C: drive and 😧 drive, Second Volume (with 1 LUN > RDM) to hold the Splunk data?

Tags (3)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

The Splunk reference architecture is a good place to start -- http://docs.splunk.com/Documentation/Splunk/latest/Installation/CapacityPlanningforaLargerSplunkDepl.... Except, there's no real mention of SAN storage there. Remember, Splunk is very highly I/O intensive - like an enterprise OLTP database. Splunk recommends RAID-10 for storage because of the higher IOPS available there, compared to RAID4/5/6. The typical Splunk indexer "building block" does not use SAN storage, but rather has a number of fast local disk in RAID10. If one indexer "block" cannot meet your performance, add more -- each with its own local storage. ( http://blogs.splunk.com/2009/10/27/add-a-server-or-two/ ) In everything but the largest deployments, this is far more cost effective than using SAN storage with Splunk.

But if you already have the NetApp storage on the floor, then there is no reason NOT to use it -- that is, as long as it has the available IOPS capacity to meet the needs of your indexing workload. (And, you'll need to make sure that providing that IOPS capacity does not negatively impact other systems using the shared storage.)

In terms of simple partition/filesystem layout - what you're discussing makes reasonable sense. We give Splunk two filesystems - one for the product (code) and the other for the indexes.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

The Splunk reference architecture is a good place to start -- http://docs.splunk.com/Documentation/Splunk/latest/Installation/CapacityPlanningforaLargerSplunkDepl.... Except, there's no real mention of SAN storage there. Remember, Splunk is very highly I/O intensive - like an enterprise OLTP database. Splunk recommends RAID-10 for storage because of the higher IOPS available there, compared to RAID4/5/6. The typical Splunk indexer "building block" does not use SAN storage, but rather has a number of fast local disk in RAID10. If one indexer "block" cannot meet your performance, add more -- each with its own local storage. ( http://blogs.splunk.com/2009/10/27/add-a-server-or-two/ ) In everything but the largest deployments, this is far more cost effective than using SAN storage with Splunk.

But if you already have the NetApp storage on the floor, then there is no reason NOT to use it -- that is, as long as it has the available IOPS capacity to meet the needs of your indexing workload. (And, you'll need to make sure that providing that IOPS capacity does not negatively impact other systems using the shared storage.)

In terms of simple partition/filesystem layout - what you're discussing makes reasonable sense. We give Splunk two filesystems - one for the product (code) and the other for the indexes.

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...