- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Sizing a Splunk installation- and a license questi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're considering moving our Splunk environment from AIX to a Linux x86 box for performance reasons. My particular department uses a tiny 500 MB license (carved out of a larger license).
We do not plan to move the index to Linux as that is not easy to do, or so I am told (otherwise we'd love to do that). So it was suggested that I use the new Linux box as the indexer, and I can access the older data on the AIX box.
I have two questions:
1) All new data will be going to the new Linux box. Do I still need to have a paid license on the old indexer? It won't be indexing new info, just providing old info as needed. If I need a license on both boxes, can licenses be carved out in increments smaller than 500 MB?
2) Given our relatively small load (up to 500 MB a day, but could double in the next year), what is a reasonable configuration for a Linux server? The docs have sizing suggestions for large environments, but I don't see much in the way of small environments. I was thinking two CPUs and 4 GBs...
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.
If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).
You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.
As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You shouldn't need a paid license on the old indexer, as long as you won't be indexing data there going forward. The Forwarder license should work fine.
If you do want to still index some data on the forwarder, you'll need to carve up the license - you'd need to contact Splunk support (or wait for 4.2, which is rumored to handle distribution of a single license across multiple machines).
You may wish to configure distributed search between the two boxes to allow searching of all data from one console. You can even disable SplunkWeb on the AIX server if you go that route.
As you say, 500 MB is a very light load for Splunk. Two CPUs and 4 GB RAM should be adequate, though the RAM might be a little low. Given the cost of RAM these days I'd go for at least 8 GB. RAID10 for disk is always a good move if you can swing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'd need an Enterprise license on the AIX box, but the free Forwarder license should count -- it's basically an Enterprise license with a minuscule indexing cap.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appreciate the feedback!
If I configure distributed search, I should not need a license on the AIX box, right?
Thanks again!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
