Hello,
We're looking at expanding our Splunk capabilities, and I'd like some additional input on the question of doing a high core single search head vs a search head cluster.
Our environment experiences a lower number of concurrent users (between 5 and 15), however, we can hit very large number of concurrent searches ( > 30). We were either going to go with a Search Head Cluster or a very large VM. Disregarding the HA factor (since we'd be able to handle this issue regardless of a SH cluster or single instance, though I know the cluster is the Splunk SH "HA").
Would a SH Cluster of 3 devices with 16 cores at 16 GB of RAM a piece have any significant advantages over a 48 core, 48 GB RAM device in terms of performance? Our current view of the SH Cluster vs Single Search Head is management of Apps and Settings is much easier done on a single device (as the SH deployer in 6.3 we're currently using seems to be quirky about items such as scripted inputs), so essentially I'm trying to gather information on whether any performance benefits may outweigh the current management concerns.
A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception
Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)
SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.
My 2 cents.
The benefits of SHC are providing Scaling (with low number of users seems insignificant here) and High Availability (which you said you already got handled). The drawback of SHC are reduced quota (workaround available) and more load on each SH due to additional processing(replication within cluster, cluster heartbeats etc). Considering your requirements, my bet will be on larger single VM.
A standalone server with enough resources to meet your concurrent search needs will be faster than a cluster in all cases without exception
Exception: 🙂 VMs have many, many variables that can degrade performance. In my experience VM SHs are terribly slow in comparison to physical servers. YMMV. (ESXi running on recent Xeons and fairly substantial SAN infrastructure. I believe IO was the bottleneck.)
SHC also adds a lot of complexity and incompatibilities to your environment. If you feel that moving to an SHC someday is inevitable, maybe now's a good time. If not, avoid that extra complexity.
My 2 cents.