Getting Data In

What is the number of indexers allowed in a single site cluster?

venky1544
Contributor

Hello Splunkers

I have a query regarding number of indexers or indexer clusters that can reside in a single site clustering

suppose i have 400 indexers  is there a limit as such for the number of indexers in single site??

and another question is

how many indexers can i place in a indexer cluster can it be more than 3?

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @venky1544,

in one Indexers Cluster you can put all the Indexers you like.

Usually the number is chosen by the volume of logs to index and the number of users/scheduled searches, mainly:

  • one Indexer every 150-200 GB/day if you have only apps on Splunk Enterprise;
  • one indexer every 100-150 GB/day if you have ES or ITSI.

Then the reference hardware depends on the load (https://docs.splunk.com/Documentation/Splunk/8.2.6/Capacity/Referencehardware)

To have a cluster, at least you need two Indexers, and there's no max number, as I said, it depends on the volume od logs to daily index.

If you have a so great number of Indexers (and I suppose a great volume of logs), probably you need an intervene of a Splunk Ps or at least a Splunk Architect, to reach a correct architecture and to tune your infrastructure.

Ciao.

Giuseppe

View solution in original post

gcusello
Legend

Hi @venky1544,

in one Indexers Cluster you can put all the Indexers you like.

Usually the number is chosen by the volume of logs to index and the number of users/scheduled searches, mainly:

  • one Indexer every 150-200 GB/day if you have only apps on Splunk Enterprise;
  • one indexer every 100-150 GB/day if you have ES or ITSI.

Then the reference hardware depends on the load (https://docs.splunk.com/Documentation/Splunk/8.2.6/Capacity/Referencehardware)

To have a cluster, at least you need two Indexers, and there's no max number, as I said, it depends on the volume od logs to daily index.

If you have a so great number of Indexers (and I suppose a great volume of logs), probably you need an intervene of a Splunk Ps or at least a Splunk Architect, to reach a correct architecture and to tune your infrastructure.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

it's just like @gcusello said. A reasonable minimum is 2, even you can do a single node cluster to extend it later on. The max limits of nodes comes probably from bucket count in one cluster. There is some limits for amount of buckets in one cluster (tens of millions currently, if I recall right).

https://conf.splunk.com/files/2019/slides/FN1635.pdf?podcast=1577146226 told something about it. 

https://conf.splunk.com/files/2017/slides/howd-you-get-so-big-tips-tricks-for-growing-your-splunk-de... Another conf presentation which is talking somehow this questions.

r. Ismo

0 Karma

PickleRick
Ultra Champion

With a deployment that's likely to grow in the future, it might be indeed worth setting up a "one node cluster". While you can "upgrade" a standalone indexer to a cluster member, the buckets which were not indexed as clustered will not get replicated - they stay unclustered.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I saw yesterday .conf22 on Splunk product showcases some numbers related to the, but didn't write don those. But basically with Splunk version 9.0.0 was something like this for clustered environment

  • 40M - Buckets in cluster
  • 1000 - indexers
  • 1000 - indexes

something else which I cannot recall now.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...