Amen to that!

There are ALWAYS memory problems with Windows Indexers (just look at any older release and the number of Windows-only bugs with memory there are). These problems FREQUENTLY lead to crashing hard, sometimes the entire box. Your uptime will be SERIOUSLY compromised if you go with Windows.

Is anybody laughing at my "heap" joke?

Yes, but we're not showy about it. LOL

I had a good laugh at your famous last words.. That's my biggest argument is the file permissions. I think I have a good shot at getting this on a Linux environment and could use all the ammo I could get

Managed service accounts are fantastic. Sometimes.

We have had our difficulties with them as well...

One of the really weird things is that we have inheritance turned on and full control is applied to "this folder, subfolders and files", but when new buckets get created their rawdata subfolder has "this folder only" and no one can read it - not even Splunk (I have a PowerShell input to calculate and track disk usage...it runs as the bloody MSA, but cannot read rawdata).

Also, if we create a new index and if one of us ever needs to look inside its db folder for any reason then we have to do the "yes/ok" to grant ourselves access to continue. Sounds harmless, right? Well, the next time a bucket is created it gets created with ONLY rights for the team member who did the "yes/ok" thing. That results in the BucketMover errors when it is time to roll it from warm to cold, so we have to go in and manually fix permissions on that bucket. The growling on those days sounds like a pack of wolves.

Great points @rich7177

I would say there are A LOT more Windows guys than Linux guys at my company, even though we are primarily a Linux environment. We have 1 of our indexers on a Windows machine and I've had 2 major issues with it so far. The first issue is that the server has to be rebooted approx every month for security patches and takes about 3-5 minutes to reboot. The second issue I have is upgrading Splunk on Windows.. We had a bug in our Windows 2012 R2 OS which took 8 hours for Splunk to upgrade and lead to massive outage time. The other thing I like about Linux is the file permissions.. We are building this indexer for Enterprise Security so I'm glad you told me about the performance issues now! Thanks for your input, I really appreciate it!

So, if you are using the UF to get your data in from places that support a UF, they'll cache waiting for the indexer(s) to come back.

That goes double for using an outboard syslog-ng/rsyslog server with a UF on it to collect those logs you can't get a direct Device-with-UF-> indexer connection from. The UF (and syslog itself) will cache/buffer it until the indexer is available.

If you do an indexer cluster, you can get past this problem, too. They're not real hard, either...

Honestly, I reboot my Linux boxes about monthly too, and neither them nor Windows now takes more than 30 seconds plus BIOS time (though that latter can be considerable on some boxes). Why? Well, I'll ask, why not? I like knowing they WILL restart, but this way I'm more (and perhaps more easily) assured all the patches and things are applied and working properly.

In fact, Server 2012 reboots FAST. I think it's got the edge now over Ubuntu 16, though when VM they're both ready to log into again about as quickly as I can restart whichever utility/connection I'm doing. When they're not VM, nearly the entire wait is BIOS type stuff.

BTW, what a great thread. Too often these discussions elsewhere end up being a shouting match. It's a testimony to the culture and community surrounding Splunk that we can have a pleasant discourse on the pros and cons of each OS without it resulting in a flamewar.

In this case, *nix probably wins unless there's compelling business reasons for doing Windows. In other circumstances it could go either way depending on a variety of factors.

[1] Use what you're most comfortable with. If you're an MSCE with 20 years experience running Windows, and no practical Linux experience except that Raspberry Pi you got for Christmas ... use Windows. If you / your team is equally capable on both Linux and Windows then your decision is harder.

[2] Understand that running Splunk on Windows puts you statistically in the minority. Some things work substantially worse there from a performance standpoint - like things that depend on lots of custom REST endpoints (like DB Connect). (This is something Splunk is trying to improve). Also, a mixed Windows/Linux environment with Windows as the deployment server may have issues with things like scripted inputs.

Your community of peers running Splunk on Windows is much smaller than your community of peers would be on Linux. As such, the overall community (the people on Answers, or in IRC or Slack) will be much less equipped to help you meaning you will have to rely more on support.

In my opinion, running your core Splunk infrastructure on Windows puts you at a substantial disadvantage. But, there are people who do it highly successfully.

Awesome idea about installing a heavy forwarder on a VM! I currently have a production indexer on a Windows machine, so what if I install Linux on this second indexer, this should be able to get around this issue of sending remote WMI calls right?

I would think so.

Keep in mind that ES can share indexers with other data with only minor concessions to "taking extra care", but the ES search heads are really special critters that want their own playground.

Sounds like Linux is the way to go for you and is what I would recommend.

Also, if you can swing it, I HEARTILY recommend have Splunk Professional Services help with standing up ES.

yup, thats right

Nice answer, muebel. I thought of the WMI point right after I clicked Save. 🙂

To expand: if your remaining infrastructure is Windows, and if you aren't rolling the UF out to everything you have, with a Windows Splunk server you can just suck Event Logs off random boxes with just a couple of clicks via WMI. So if you have minor issues on server X and just want to review its logs, it's 30 seconds to pulling that in via WMI for those one-off cases, vs. quite a bit more work if all your servers are nix. But again, this can be done with *one windows Splunk HF, too.