Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk cluster

498773
Explorer
‎08-21-2013 03:26 AM

Please suggest the best practise for splunk deployment

Considerations:

  • Index data of size 2GB daily
  • Data comes from 20 different hosts
  • Report generation on data

Proposed Solution:

  • Search Factor=2, Replication Factor=2

  • 20 forwarders to pull data from hosts

  • One master node, Two Peer Nodes(for Indexing) , One Search head

  • Data on each node would be 1GB (considering RF and SF)

My question is does this set up looks good or can i avoid search head as there are only two indexers, please suggest some best practices . Do i really need to go for cluster set up if not what can be done ?????

looking forward for your ideas, Thanks in advance

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-21-2013 03:59 AM

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-21-2013 03:59 AM

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

Reply
Solved! Jump to solution

498773
Explorer
‎08-21-2013 05:01 AM

Thanks kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...