As we have discussed, there are two primary ways to scale the Solution:
- Run multiple engines within a single FA.
- Deploy multiple FAs, possibly with multiple engines running in each one.
To write an
engine.conf file or to split the engine file across many FA VM(s) and engine instances to support your environment, you must consider the following:
- How large is your environment? Knowing the size of your environment (the number of hosts and VMs) helps to determine the number of forwarder appliances you need to monitor these hosts. it also helps determine the length of time it will take to run the actions that collect the data from your environment. For examle, the collection of inventory data can take a very long time in a very large environment. Knowing the number of hosts, the number of virtual centers, and the number of virtual machines can help you determine how you want to monitoring your virtual environment.
- How much volatility is in your environment? In an environment where virtual machines are quickly created and deleted, you may need to increase the data collection frequency for Splunk to capture certain kinds of data. Setting up the correct frequency for data collection assists in getting data in as fast as possible and ensuring the complete data sets are collected.
- How close to "real-time" do your need to monitor your environment? If you need to detect changes in your environment in "real-time (immediately), you can increase the frequency of collection to ensure that Splunk sees the changes in the data. Setting up the correct frequency for data collection assists in getting data in as fast as possible.
- How critical is the data you are collecting? Is the collection of performance metrics critical to your environment? Give critical data special treatment in the forwarder appliances. Identify data that has highest priority and make sure that it is collected at the correct frequency (fast enough to get it all in).