Question 6: Do you want to create or run a Splunk app, alert, or solution that executes more than 8 concurrent saved searches? Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results? If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines to handle the increased demand of indexing and searching. If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you can consider adding additional storage to the machine to account for increased disk usage due to higher retention. ![]() See How Splunk Enterprise calculates disk storage. Question 5: Do you need more than 600GB of total storage? If you answer Yes to question 3 or 4, then scale your Splunk Enterprise deployment to multiple machines to handle the increased demand of indexing and searching. If you answer No to questions 3 and 4, then a single dedicated Splunk Enterprise instance running on a reference machine can provide sufficient resources for the indexing and search workload. Question 3: Do you need to index more than 300GB per day? Question 4: Do you need more than four concurrent users? Those services are I/O intensive and can reduce Splunk Enterprise indexing and search performance. Note When deploying Splunk Enterprise on Windows OS, do not utilize a host that provides Active Directory or Exchange services, or runs machine virtualization software. If you answer Yes to question 1 or 2, then proceed to Question 3. If you answer No to questions 1 and 2, then your Splunk platform instance can share a reference machine for distributed deployments with other Splunk platform services. When should I scale my Splunk Enterprise deployment? Question 1: Do you need to index more than 2GB of data per day? Question 2: Do you need more than two users signed in at one time? ![]() If you need more indexing capacity than a single indexer can provide, add indexers into the deployment to account for the increased demand. As events increase in size, the indexer uses more system memory to process and index them. Larger events slow down indexing performance. Linux, 487 MB Physical Memory, 1 CPU Coresįor 1M events, I had these performance results:Īdditionally, I paste here the Splunk recommendations for troubleshooting with indexing actions.Īccording to the Splunk documentation, changes depending on the size and amount of incoming data.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |