All Apps and Add-ons

Splunk Enterprise performance on VMware VSAN

C_K
New Member

Good Morning;

We have been mandated to use vmware for our splunk infrastructure, and we are curious about using vsan. There does not appear to be any information for splunk on vmware vsan - the tech brief contains good information, but I think vsan came out after the tech brief. Has anybody run splunk using vsan as the storage layer?

Tags (1)
0 Karma

kartikaydwivedi
New Member

Hey There!

We have something exciting available for you on how to run Production Splunk on VMware vSAN

Check it out at-:
https://storagehub.vmware.com/t/vmware-vsan/splunk-on-vmware-vsan/

https://www.linkedin.com/feed/update/urn:li:activity:6534414439188398080

Thanks,
Kartikay

0 Karma

Queboduck
Engager

The solutions guide Jenny refers to, “Using Splunk Enterprise with VxRail Appliances and Isilon for Analysis of Machine Data”, was published 3/1/2017: https://www.emc.com/collateral/service-overviews/h15699-splunk-vxrail-sg.pdf

Appendix A on page 87 provides some indicative vSAN performance data on VxRail to illustrate the linear scale of vSAN and VxRail for Splunk using IOmeter. One thing to note, as stated on page 88, in the test IOmeter was run on a VxRail Appliance hybrid configuration cluster to show the linear scalability of the VxRail cluster. This is a node that uses EFD cache and HDD media. While it is performant, it is not reflective of the higher performing all-flash VxRail configuration in the described scenarios. Dell EMC and Splunk’s recommendation is to use all-flash vSAN nodes. This is not necessarily an artifact of vSAN, though all-flash vSAN does have additional data services capabilities over traditional HDD/hybrid. If you see the presentation of Blizzard from .conf 2016 you see the general value of flash for Hot/Warm even in a direct attached storage environment with no software defined storage.

Hope this helps.

jhollfelder_spl
Splunk Employee
Splunk Employee

Great question! Although I have not personally run a production Splunk Enterprise environment using VSAN as the underlying storage, I worked closely with Dell EMC to assess the performance of Splunk Enterprise on VxRail, a hyper-converged solution that uses VSAN as the underlying storage, and can confirm that given proper resource allocation, it meets or exceeds the performance of Splunk's documented reference hardware: http://docs.splunk.com/Documentation/Splunk/6.5.1/Capacity/Referencehardware

I am in the process of working with Dell EMC on a "VxRail Infrastructure for Splunk Enterprise" Solution Guide which includes:
1. Technology overview of Splunk Enterprise and VxRail including Virtual SAN (VSAN).
2. Recommended configurations and best practices for setting up VxRail (including VSAN) for a Splunk Enterprise use case (includes screenshots).
3. Splunk-validated Configurations for VxRail All-Flash for Splunk Enterprise ranging from 50GB/day to 1TB/day.

Note: The sizing guidance in the Splunk-validated Configurations section is for Splunk Enterprise (core only). Apps like Enterprise Security, IT Service Intelligence OR environments that make heavy use of Data Model Acceleration (DMA) and have a large number of saved searches require additional consideration for sizing your Splunk Enterprise deployment.

We're working to get the VxRail solution guide for Splunk Enterprise released as soon as possible. When it's published, it will be linked from the Dell EMC partner page on Splunk's main website (https://www.splunk.com/dellemc). I will also provide an update to this post with the link when it's available.

If there are existing customers running on VxRail or using VSAN for the underlying storage for Splunk Enterprise who would like to share their experiences, we'd love to hear from you! What configuration are you running? What have you found works well? What, if any, problems have you encountered? Sharing is caring!

Thanks and hope this helps! 😃

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...