Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk cluster

498773
Explorer
‎08-21-2013 03:26 AM

Please suggest the best practise for splunk deployment

Considerations:

  • Index data of size 2GB daily
  • Data comes from 20 different hosts
  • Report generation on data

Proposed Solution:

  • Search Factor=2, Replication Factor=2

  • 20 forwarders to pull data from hosts

  • One master node, Two Peer Nodes(for Indexing) , One Search head

  • Data on each node would be 1GB (considering RF and SF)

My question is does this set up looks good or can i avoid search head as there are only two indexers, please suggest some best practices . Do i really need to go for cluster set up if not what can be done ?????

looking forward for your ideas, Thanks in advance

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-21-2013 03:59 AM

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-21-2013 03:59 AM

No, you don't need to have a cluster. It's a design decision which will give you added fault tolerance. Given the rather small amount of data you're indexing, a single server will most likely satisfy your capacity needs (depending on the amount of searches you will actually be making - scheduled or manual).

NB: with a cluster like you specified, the storage on each node will be 2GB daily, not 1GB, since you duplicate all your data (SF=2, RF=2). Thus it's 4GB spread over 2 indexers.

/K

Reply
Solved! Jump to solution

498773
Explorer
‎08-21-2013 05:01 AM

Thanks kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...