Getting Data In

What are recommended specs for a virtual host for our multisite sandbox environment?

avisram
Path Finder

Hi there,

I've been tasked with building a Splunk Enterprise 6.3 multisite virtual environment sandbox. The environment is to consist of the following Splunk instances:

  • 5 search heads in a search head cluster
  • 7 indexers (3 sites x 2 indexers + 1 cluster master)
  • 1 combined deployment server, license master, deployer
  • 2 forwarders installed on Linux images

In addition to the above instances, the virtual host should also be able to accommodate a separate distributed search environment consisting of:

  • 1 search head (also acting as deployment server and license master)
  • 2 indexers
  • 2 forwarders installed on Linux images

So in all, a total of 20 virtual instances will be hosted. As this is a sandbox environment, the volume of data being forwarded/indexed will be minimal - definitely less than 10GB/day if that. We will be using VirtualBox for the images with CentOS 7 - minimal as the operating system on the images.

Given the above criteria, I need to procure the machine that will host all of these images. Specifically I need to know:

  1. Recommended processor.
  2. Number of CPUs/cores required
  3. Minimum clock-speed
  4. RAM
  5. Number of hard drives required
  6. Individual hard drive capacity
  7. Individual hard drive specs
  8. Hard drive RAID configuration

I would also need to know the specifications that the individual CentOS 7 virtual images (for the different types of instances) would require such as:

  1. Allocated RAM
  2. Allocated disk space
  3. Allocated CPU

If I have missed any critical specification then please feel free to add/comment on that also.

Thanks for your assistance.

Amyn

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

Here's a starting point:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Capacity/Referencehardware

Virtual Hardware section, also a link to a PDF in that section:

http://www.splunk.com/web_assets/pdfs/secure/Splunk_and_VMware_VMs_Tech_Brief.pdf

What I suggest is jotting down the specs you'd like to have based on the recommendations in the documentation listed above for each VM. then with that, tally it all together (total virtual RAM => RAM, total disk, total vCPUs => CPUs) all then tallied to determine what size box(es) you would need to accommodate that type of workload. Not really a tool out there to do that, as architecting something like this is a bit of a skill, art and SWAG.

avisram
Path Finder

Thanks pgreer. In looking at the documents referenced the specs are based on production hardware/virtualization. What factor would you use to scale it back for a sandbox environment?

0 Karma

sdvorak_splunk
Splunk Employee
Splunk Employee

Avisram, the Tech Brief recommended above is definitely for a production environment. It is probably ideal to have a physical host with at least 20 cores and 256GB RAM for this environment. It's impossible to make a recommendation for storage based on the information provided. Would need to factor how long you plan to retain data in this environment, and work backwards from that (this site might help you: http://splunk-sizing.appspot.com/ ).
If you plan to do multiple physical hosts for this environment, you can probably do smaller core count boxes. If you are building this to perform well, I would need further information to size this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...