I've been using Splunk for less than a year and I'm looking for real-world insight on how to size and grow a Splunk deployment. I've read the Splunk Capacity Planning manual and the admin guides but would like to hear from people who have done it.
My department has a Splunk Enterprise server on a small isolated LAN consisting of about 40 Windows clients with the Universal Forwarder. The server indexes about 4 GB a day. We get about 10 daily reports from it each morning. Other than that, I logon to it a few times a week and run a few searches. So it's lightly used in terms of search. It works fine.
We have another isolated LAN about 400 clients, 200 Windows and 200 Linux where we are going to deploy Splunk. We plan to purchase one server for it with:
10 cores each
32 GB of RAM
disks capable of meeting the 800 IOPS requirements.
I'm estimating the server will index about 20-40 GB a day. We will have about 10 daily reports emailed to us. Other than that, it will be lightly used for search by a few people.
If we do buy one server and find it's not sufficient, how do you recommend we add another server properly to handle the load? Do we cluster them or have separates servers, one for Windows and one for Linux? Actually, the Linux clients will send to a syslog server. Then the syslog server will send to Splunk. Still looking into how that works.
Again, I'd appreciate any recommendations.
Thanks in advance,
... View more