Splunk Search

Relation of physical cores to vcores in a Splunk deployment

avoelk
Communicator

I was wondering what, i.e., the following means : 24 physical cores or 48 vcores . does that mean for a virtual environment I need double the physical cores to be vcores (physical cores = vcores) or is there some kind of relation I can deduce the amount of physical cores for a virtual environment from? 

Also, if a virtual environment would be prefered partially because it would save up the amount of hardware needed (physical racks) and if a virtual server then would need to host two servers witch 24vcores each as a recommendation, would that mean the physical server would need 48 physical cores to provide those vcores for both machines?

thanks a lot for clearing this up. I didn't find clear information in splunk docs and in the community as of now. 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avoelk,

I try to understand your question:

Splunk reference hardware (https://docs.splunk.com/Documentation/Splunk/8.2.3/Capacity/Referencehardware) says that you need for a mid tier Indexer 24 Physical Cores or 48 vcores and in the Virualized Infrastructures section of the same page (https://docs.splunk.com/Documentation/Splunk/8.2.3/Capacity/Referencehardware#Virtualized_Infrastruc...)  you can find why, if you have a virtual infrastructure, you need more CPUs.

In few words: if you have a physical infrastructure you have dedicated CPUs and usually more performant disks; if you have a virtual infrastructure, you need more resources.

You don't need to double the physical cores but, having a virtual infrastructure, the needed number of virtual CPUs is the double of the physical CPUs.

Ciao.

Giuseppe

0 Karma

avoelk
Communicator

hi @gcusello 

yes so that's what I don't understand. "the needed number of virtual CPUs is the double of the physical CPUs" what does that mean? the question is, whether the indexer would need more underlying physical cores when virtualized and counting on the vcores OR is it just a configuration thing like in my virtualization manager I need to give the machine a virtual amount of more cores even tho the underlying physical cores are the same amount. you know? 

it states something about 15% more ressource intensive. so is it the case that for a virtualized  indexer to be just as performant as the on prem 24 cores  indexer, I need to add 15% more physical cores to the machine to compensate for it?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @avoelk,

no, the request of Splunk is to have a number of cores able to supply the needs of the Splunk system.

So when you define the requirement for the hardware for running a Splunk server you have assign a number of CPUs related to their type :

  • If you use a physical server, you have a number of Physical CPUs dedicated to the Splunk server (e.g. 12);
  • If you use a virtual server, you need for the same role a double number ov virtual CPUs (e.g. 24).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...