I am in the process of migrating(in production!) from a Two machine implementation ( one search head, and one search head /indexer) to a properly distributed setup. I placed a Heavy Forwarder in-line yesterday. It seems to be humming along smoothly. the load on my indexer has gone down quite a bit as it is no longer having to parse the incoming data.
Heres what I am trying to do ,
log-001(SH/IN) -> log-001(IN)
log-002(SH) -> log-002(SH/IN)
log-003(HF) -> log-003(HF)
Specs:
log-001
8 Cores @ 3.0GHz
8G RAM
800 G storage ( broken up into 250 hot and 550 warm/cold)
log-002
24 Cores @ 2.8Ghz
32G RAM
150G storage (RAID 10)
Indexing approx 100G a day, soon to be 300 😕
My question is, whats the best way to re-allocate the resources I have to get the best performance out of Splunk.
I am guessing I will need more storage on log-002, as well as a procedure to "split" the indexes that currently live on 001.
If I don't add more storage to 002, what will be the impact as that drive isnt able to index an equal share of the data?
Am I coorect in thinking that moving the search functionality totally off of log-001 will leave me with a more-suited-to-the-task indexer?
aaaaaand, I thank ya's
J
TLDR;
Splunk grew faster than the HW, attempting to migrate from overloaded box to distrubted enviro. tips? gotchas?
... View more