We are setting up a production Splunk environment on Linux VM's (RHEL7). I'm not exactly a "server guy" so learning on the fly. I've been given these specs to build the search head and indexer:
Search head specs:
• Intel 64-bit chip architecture
• 16 CPU cores at 2Ghz or greater speed per core.
• 12GB RAM
• 2 x 300GB, 10,000 RPM SAS hard disks, configured in RAID 1 – 800 IOPS(These a splunk specs not sure what we have available)
• A 1Gb Ethernet NIC, optional 2nd NIC for a management network
• A 64-bit Linux
Indexer specs:
• Intel 64-bit chip architecture.
• 12 CPU cores at 2GHz or greater per core.
• 12GB RAM.
• Disk subsystem capable of 800 average IOPS. For details, see the topic Disk subsystem.
• A 1Gb Ethernet NIC, with optional second NIC for a management network.
• A 64-bit Linux
• 4TB RAID 0 for Hot,Warm, Cold Data – 800 IOPs
• 2TB RAID 0 for Archived Data – 400 IOPS
The questions:
How many servers are needed given there are forwarders, indexers, search heads, deployment server, and a license master?
Would Splunk be installed on opt/splunk? How much space would need to be allocated to the install?
Are there "best practices" for naming the mount points...or would you have any suggestions?
On the 4TB drive and (2) 300GB drives, is that space dispersed across several hard disks?
Any suggestions you have would be awesome!
... View more