Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is SAN or local storage preferable when building a search head cluster?

ankithreddy777
Contributor
‎01-18-2017 09:08 AM

We want to build a search head cluster. May I know which storage is preferable: SAN or local drive? And why?

0 Karma
Reply

koshyk
Super Champion
‎01-23-2017 12:11 PM

Splunk Capacity documentation speaks about the "minimum" spec. In reality , what I have seen is Search Head is used in great extend if you have lot of TA's/addons and premium products like Enterprise Security. All these search time extractions will be run during every search, thus my view is to have "local" storage as much as possible

  • Indexer : hot data in Local or extremeIO SAN
  • Indexer: cold data in NAS
  • Indexer: /opt/splunk installation in local storage
  • SH: local storage for /opt/splunk installation
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-22-2017 06:31 PM

@ankithreddy777 - Did the answer provided by gokadroid provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

gokadroid
Motivator
‎01-18-2017 09:17 AM

Storage choices always should be decided on the IOPS required for a particular Splunk Component you are devising. For example there will be no use of having a slower IOPS local storage when a SAN setup has a higher IOPS or (Random seeks or better latency values than local storage).

Since Search Head setup is more CPU and memory bound hence those factors should be of prime consideration. Here are the reference values and link:

**Dedicated search head**

 Intel 64-bit chip architecture
 16 CPU cores at 2Ghz or greater speed per core.
 12GB RAM
 2 x 300GB, 10,000 RPM SAS hard disks, configured in RAID 1
 A 1Gb Ethernet NIC, optional 2nd NIC for a management network
 A 64-bit Linux or Windows distribution

http://docs.splunk.com/Documentation/Splunk/6.5.1/Capacity/Referencehardware#Reference_host_specific...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...