"Do keep your Splunk directories on separate mount points from the OS." - Yes that is the idea. We haven't implemented this yet though.  Regarding search head - my idea is to keep read intensive operations (such as querying particular logs etc.) on SSDs, and allocate HDDs for offline report generation using Splunk pipeline/job features. I want to use SSDs for read intensive operations, and I want to use HDDs for read/write operations to reduce component failures.  Now for indexers, Splunk has clearly outlined the policy for hot/warm/cold buckets, however for search heads, I see hints. Do you see any reference implementation for different types of disks in same server for indexers and search heads?    ... View more

Thanks Rich Galloway. I am assuming the SSDs and HDDs can be put in the same server. Is there any link where this is is mentioned? Also I am looking for details of hot/warm/cold buckets, is this a good starting point: https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/HowSplunkstoresindexes There is a section - "What the index directories look like" I don't think we need any such arrangement for search head, is my assumption correct?  ... View more