As a part of capacity planning for the Splunk App for Enterprise Security deployment, make sure that your servers and storage systems meet or exceed the requirements described in the Reference hardware topic in the Capacity Planning Manual.
To understand the factors to consider in capacity planning for your deployment, see Dimensions of a Splunk Enterprise deployment topic in the Capacity Planning Manual.
Splunk deployment ecosystem
The Splunk App for Enterprise Security is an integrated part of the Splunk deployment. As you plan your new Splunk deployment, or expand your existing deployment to include the Splunk App for Enterprise Security, carefully review these hardware requirements and ensure that you architect your deployment appropriately.
Key concepts to understand:
- The Splunk App for Enterprise Security requires its own dedicated search head. Do not try and share the search head with other product components.
- Real-time and scheduled searches that support the Enterprise Security dashboards, views, and correlation searches are initiated by the search head. Results are returned, aggregated, and summarized by the search head.
- Summarized data is no longer stored on the search head. This requires less disk space on the search head but more disk space on the indexers.
- Search-time knowledge (field extractions, event types, tags, lookups, and so on) resides on the search head.
- Index-time knowledge (source types, time stamping, line breaking, and so on) resides on the indexer or on forwarders depending on the Splunk architecture.
- Enterprise Security includes a high number of scheduled searches that run on a regular basis. This will put an extra load on the search head and the indexers and should be taken into consideration.
See Components of a Splunk Enterprise deployment in the Capacity Planning Manual.
It is important to have sufficient hardware in your Splunk deployment. The Splunk App for Enterprise Security will increase the resource consumption of the indexers and will require its own dedicated search head. Consider each of the hardware resources on the search head and indexers (RAM, disk space, CPU cores) to ensure that the hardware will support the data volume and usage expected. The hardware recommendations in this section are based on a typical Splunk deployment where Enterprise Security is installed to its own dedicated search head. Recommendations are additive to any other requirements by other apps or usage requirements of Splunk.
CPU cores - The number of cores on the search head determines the speed at which you can initiate searches, receive the results of the searches from the indexers, and process the data as needed by the searches. On the indexers, the CPU cores influence the number of concurrent searches that can run and the volume of data that can be indexed.
Memory - System memory is used on the search head to process data coming back from indexers, and correlate the data to lookups in later phases of the search pipeline. Memory is used on the indexers in much the same way.
Disk space - While some disk space is necessary on the search head, almost all data is now stored on the indexers where disk space is necessary to store the raw data as well as to store summary data in TSIDX namespaces and summary indexes.
Search head hardware
In a distributed deployment, the search head where Enterprise Security is installed should be dedicated to Enterprise Security. No other apps should be installed. The scheduled searches that ship with Enterprise Security will be initiated from the search head to the indexers. The data retrieved will be sent back to the Enterprise Security search head, with the results presented to the user conducting an investigation.
Important: Any real-time settings for Enterprise Security will be global for any other apps on the same search head. This is a known issue.
Note: The search head that is hosting the Splunk App for Enterprise Security should be configured for high performance. UNIX systems should check the
ulimit setting in particular, as this can artificially limit the operating system's capacity. Other performance impacts include Linux
swappiness setting. Consult with your UNIX systems administrator for high performance build recommendations.
An Enterprise Security search head requires a minimum of 12 CPU cores. Additional cores may be necessary depending on the volume of data and user concurrency expected.
Note: SPARC platforms are untested and not recommended.
Memory varies according to the volume of data, the number of correlation searches enabled and the size of the asset and identity lookups. The following table provides a guideline based on volume:
|Data volume(GB per day)||100||300||500||1000||2000||3000||4000||5000|
In the Splunk App for Enterprise Security 3.0 and later, TSIDX data is no longer stored on the search head. The TSIDX namespace data collection has been replaced with the data model acceleration feature in Splunk Enterprise 6. Data model acceleration uses the indexers for storage, with the data models stored within each index. This change reduces, but does not eliminate the storage use on the search head.
Search head pooling
The Splunk App for Enterprise Security supports search head pooling and can be installed into a search head pool if the load requires it. See Configure the search head in this manual and Configure search head pooling in the Splunk Enterprise documentation for more information on setting up search head pooling.
Splunk indexers provide indexing and searching capacity for machine data. See How indexing works in the Splunk platform documentation to learn more. Indexers are I/O-intensive and require sufficient disk I/O, CPU, and memory to ingest data and respond to search requests.
You should have a minimum of 12GB memory and 12 CPU cores on each of your indexers. See Reference hardware in the Splunk Enterprise documentation for recommended indexer hardware.
Splunk indexers scales horizontally. The number of indexers to have in the deployment is a function of data volume and speed of search results. As the volume increases, additional indexers can be added to the deployment to allow the index capacity and search response to increase.
The following table illustrates guidance for up to 5TB:
|Data volume (GB/day)||100||300||500||1000||2000||3000||4000||5000|
|Number of indexers with correlation searches enabled||1||3||5||10||20||30||40||50|
The TSIDX namespace data collection has been replaced with the data model acceleration feature in Splunk Enterprise 6. Data model acceleration uses the indexers for storage, with the data models stored within each index. Calculate the additional storage needed on indexers based on the total volume of data using the formula:
TSIDX namespace storage/year = Data volume per day * 3.4
This formula assumes you are using the recommended retention rates for the TSIDX namespaces.
Example: If you are processing 100GB/day of data for use with Enterprise Security, you will need approximately 340GB more space on the indexers. This will allow for up to 1 year of data model retention and source retention.
See TSIDX namespaces in this manual for more information.
Installing the Splunk App for Enterprise Security in a virtualized environment requires the same memory, CPU, and storage as an installation in a non-virtualized environment. See Virtual hardware in the Capacity Planning Manual.
Where appropriate, you can improve performance of the Splunk App for Enterprise Security and reduce hardware requirements as follows:
- Consider using scheduled searches instead of real-time searches.
- If you do not require all of the capabilities in the Splunk App for Enterprise Security, disable the searches and/or domains not in use. For example, if you are only interested in the Access Protection domain, disable the Endpoint Protection and Network Protection searches and domains.
- The Splunk App for Enterprise Security search head requires "search by default" access for the admin role to all indexes that it should search, as described in Set up multiple indexes in the Splunk platform product documentation.
Note: By default the search head will search over the "main" index.
Warning: Do not add summary indexes to the default search indexes, as this can cause a search and summary index loop. See the Enterprise Security User Manual FAQ for more details.
Plan your data inputs
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1