Hi,
We are planning to upgrade our Splunk environment to be able to handle increased load. We currently have four physical Splunk servers, IBM System x3650 M3 – 3,46GHz, in our environment using local disks. 2 index servers and 2 search heads running on Redhat Linux 64 bits. Index servers have physical disks 10x300Gb RAID10 Stripe-based on /opt. RAM: 24GB (1 search head and 1 index server) and 16GB memory (1 search head and 1 index server). 2xCPU (4 core) for index server. 2xCPU (6 core) for search head.
We are thinking about exchanging these servers with
3 VMware servers for search heads using Redhat Linux and SAN disk. 16 GB RAM. 4 CPU. 3GHz. 1 of the search heads should handle saved searches used for generating alerts.
4 VMware servers for index servers using Redhat Linux and SAN disk. Minimum 800 iops. 16 GB RAM. 4 CPU. 3GHz.
2 VMware servers for intermediate forwarders between servers sending logs to Splunk and the index servers. 4GB RAM, 1 CPU. 3GHz.
We currently have about 150 forwarders. Daily index usage is on average between 30-40GB.
We have approx 400 users defined. On of the search heads is used a lot for generating alerts.
Could you please make some recommendations regarding our infrastructure strategy? We are planning to use the latest version of Splunk in the new environment.
Best regards,
Anne
... View more