Deployment Architecture

How to determine hard drive disk space sizing for the search head?

kiril123
Path Finder

Hello,

We are adding a search head server and I am trying to work out how much HDD space will be required. My understanding is that indexers require the largest amount of HDD space as they index and store the data. What about a search head? We are planning to run a lot of scheduled searches and summary indexes.

1 Solution

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

View solution in original post

lguinn2
Legend

The number of searches that you run does affect the disk space on a search head. The results of searches are stored in $SPLUNK_HOME/var/run/splunk/dispatch
You could look at your existing servers to see how much disk space this requires. It is probably tiny compared to your indexes...

On a search head, I usually set up a dedicated drive or mount point for the $SPLUNK_HOME/var directory tree. That way it is easy to monitor. The var subdirectory contains all of the "dynamic" files that are created: log files, search results, etc.

In addition, do NOT store the summary indexes on the search head. The best practice is to forward summary indexes to the indexers. While you don't have to follow this best practice now, perhaps, you should. Here is how:
Best Practice: Forward search head data to indexing layer

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...