Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Departmental architecture setup for 100+ concurrent users or searches?

raghu_vedic
Path Finder
‎09-06-2017 10:24 PM

Hi,

I want to setup departmental architecture because we are getting daily data volume is 1 GB/day.

As per the splunk documentation about departmental architecture they said required only one single instance (indexer + search head). But I divide indexer to search head through distributed search , Is this process good or anything wrong.

Hardware setup for indexer and search head
Intel x86 64-bit chip architecture
12 CPU cores at 2Ghz or greater speed per core
12GB RAM
Standard 1Gb Ethernet NIC, optional second NIC for a management network
Standard 64-bit Linux or Windows distribution

Based on daily data volume 1GB/day we decide departmental architecture , but Is it possible to follow small tier architecture. Please let me know, if I am going in wrong direction.

For more 100 concurrent users or searches what setup I have to do in departmental architecture.

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎09-06-2017 11:43 PM

This will work for low volumes. Id be worried about disk I/o in a vm based solution.

Additionally, for 100 concurrent searches, look here : http://docs.splunk.com/Documentation/Splunk/6.6.3/Capacity/Accommodatemanysimultaneoussearches

0 Karma
Reply

raghu_vedic
Path Finder
‎09-07-2017 12:14 AM

Thanks for the reply,
but I have one question
for daily data volumn less than 1GB/day we are using only one indexer(12 core CPU),
for indexing process it will use 1 cores and remaining 11 cores will be available. So running 100 concurrent searches it will take more time to exceute ( If No. of sec. per individual search is=10 then Approx. time (sec.) to complete all searches = 90 seconds) .

What will be the solution Will I increase more CPU cores in one indexer(Approx. 128 cores. ) or I have to follow indexer clustering concept because for index clustering minimum daily data volumn should be more than 20 GB/day.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...