Splunk IT Service Intelligence

Splunk ITSI Requirement

ramprakash
Explorer

Hello Splunkers.. I need urgent assistance in setting up Splunk ITSI. Our current Infrastructure is a distributed one running on Splunk version 6.0.1.

Present Infrastructure where Splunk 6.0.1 is present:-

Two indexers - RAM 16 GB, CPU 12 CORES

Two search heads(SHP) - RAM 16 GB, CPU 12 CORES

One Cluster master - RAM 16 GB, CPU 12 CORES

We want to install Splunk ITSI and for that we have ordered completely new VM which will behave as a dedicated Search head for ITSI. Can someone please clarify my doubts:-

1) For 100-200 KPIs the VM I ordered has specs RAM 32 GB, CPU 16 CORES, Disc 500 GB
Also i will upgrade present Indexers specs to RAM 32 GB, CPU 16 CORES.
2) Version upgrade. Can we run Splunk ITSI search head on version 7.1.x and what minimum version we need to upgrade for present Indexer, Search heads and CM.
3) We dontt want to load Search heads so thats why we have ordered new VM as dedicated search head. Is it good approach ?

Thanks,
Ramprakash

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1) Those are good starting specs for the search head. You may need more cores and memory as you add KPIs.
Recommended practice is to have more cores at the indexer level than at the SH level. Your proposed architecture will have 32 indexer cores and 40 SH cores. Consider adding a third indexer.
2) Yes, you most definitely should upgrade Splunk. ITSI requires Splunk 7.1 or later. I suggest upgrading everything to 7.2.6.
3) A SH dedicated to ITSI is not required, but is a good idea.

---
If this reply helps you, Karma would be appreciated.

ramprakash
Explorer

Thanks for the assistance.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...