Getting Data In

Splunk Server: RHEL or Win2008

lawndart
New Member

Hello all,
I'm moving my Splunk server to a new VM based box and I can either build it as a RHEL5/6 box or a Windows Server 2008 R2 box. My team and I are generally proficient in both, and we have a mixed environment of both. Has anyone looked at or noticed any performance differences across Splunk on those two OSs?

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

While I would also run on RHEL, there are limitations for both OS's.

On a *nix indexer, you cannot do remote polling of windows machines through WMI. Any logs from windows machines must come through a forwarder, off a network share, or through syslog.

PDF server is not supported on windows, afaik - you'd need a *nix machine to run that.

/Kristian

romantercero
Path Finder

Wow, the pdf server is not supported on windows? Man its was a pain to get it working on our RHLE search heads... I thought on windows it just might be a matter of pressing next a few times and "I agree" before having it working.

0 Karma

Drainy
Champion

The recommended method for collecting WMI and events is via a forwarder anyway for Splunk these days, though the PDF server is a valid point!

0 Karma

Drainy
Champion

I would run it under RH. I have personally found the performance of a nix system on a VM running Splunk to exceed that of a Windows server. Also while it is true that running Splunk on a VM affects performance it isn't necessarily not recommended, as long as you can give it enough cores and the required 800 IOPS then it should operate satisfactorily.

romantercero
Path Finder

You should be advised that running Splunk in a virtual environment is not recommended. Splunk needs fast access to the hardware and the VM will only add more layers between splunk and the hardware. Having said that, we run Splunk off RHEL and the only issues I've had that have been dependent on the OS have been with the PDF server. Everything else is pretty much a breeze. Other than that RHEL has given us no issues what so ever.

Maybe some one can comment on Windows.

edbolton
Explorer

@lawndart Be aware that there are some SplunkBase Apps (notably SOURCEfire) which are currently unsupported on Windows.

0 Karma

lawndart
New Member

Yeah, we have a small enough deployment that we haven't noticed any issues with running it off VMs so far, but we have some long term plans to spec up to physical boxes when we need it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...