i am confused with the setup guide's explanation. Currently i've deployed splunk only on an individual PC for testing etc. however, if SPLUNK is set up in a larger environment, how would resource utilization and management comes in?
Scenario:
There's an existing server for database.
Several indexers and forwarders all set up through the network. High density flow of data happens in real time.
So, indexing occurs. But where does these indexed info goes? are these search indexes memory based? How are these indexed data accessed by other search heads then? How will this affect memory and resource management (from the view of the entire network, and from the single PC operator point of view)
I'm not sure if im phrasing the question correctly, but im trying to find out how the indexed data is handled by Splunk as the database is going to be accessed alot of time by various PCs via SPLUNK to generate various reports.
Appreciate any help to clarify my confusion here.
The docs cover pretty well what an index is, and how it works. Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Admin/WhatsaSplunkindex and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Howindexingworks
The docs cover pretty well what an index is, and how it works. Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Admin/WhatsaSplunkindex and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Howindexingworks
Resource planning is available in this section of the docs: http://docs.splunk.com/Documentation/Splunk/latest/installation/capacityplanningforalargersplunkdepl...
Does this address your concerns?
thanks. but it doesnt mention how much resources it would use or occupy. supposedly my data is never archived and i have to constantly add months n months of logs to be indexed; what happens to the datastore the indexer used?
hence, im concerned about the memory used or resourced utilized in this case and any possible consequences.