Considerations for scaling deployments
Evaluate your hardware, indexers, log size, and search heads to scale your Splunk Enterprise Security deployments.
Hardware scaling considerations
You might need to increase the hardware specifications of your Enterprise Security deployment beyond the minimum hardware requirements based on your environment. Depending on your system configuration, refer to the mid-range or high-performance specifications for Splunk platform reference hardware.
Indexer scaling considerations
Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests.
Increase the number of indexers in your deployment to scale with higher search load and search concurrency. Since a collection of indexers can serve more than one search head, additional search heads using the same indexers as a search head hosting Enterprise Security can affect the total performance of your indexer tier and reduce the resources available to Enterprise Security.
The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.
Work with Splunk Professional Services to estimate deployment architecture if you plan to ingest 1 terabyte (TB) per day or more of data into Enterprise Security. See Splunk Customer Success.
Log size scaling considerations
In a search head cluster environment, syncing large KV Store lookups across the cluster members can fail and cause the KV Store to become stale. To mitigate this, increase the operations log size.
Search head scaling considerations
You might need to increase the number of search heads based on the number of concurrent ad-hoc searches, real time searches, and enabled detections. You might also need to increase the number of search heads based on the size of the asset and identity lookup files.
The following table provides information on scaling considerations for search heads when deploying Splunk Enterprise Security:
| Factor | Increase this specification |
|---|---|
| A large number of concurrent ad hoc searches | Increase CPU cores and RAM |
| A large number of real-time searches being run or a large number of users logging in at the same time | Increase CPU cores |
| A large number of enabled detections | Increase RAM |
| Large asset and identity lookup files | Increase RAM |
The following tables provide guidance on how changing the data ingestion, data model acceleration, and search load might impact performance for Splunk Enterprise Security:
| Deployment size | Data ingestion per day | Number of indexers | Number of detections |
|---|---|---|---|
| Small | 300 GB | 3 | 20 |
| Mid-range | 1 TB | 10 | 60 |
| Mid-range to large | 625 GB per day to 15 TB per day | 24 | 60 |
| Large | 15 TB per day | 150 | 100 |
| Largest deployment tested in an on-premises search head cluster environment | 45 TB with skip search rate of 4.9% | 240 | 60 |
| Largest deployment tested in on-premises single search head environment | 25 TB with skip search rate of around 1% | 300 |
See also
For more information on IOPS and other requirements to scale deployments, see the product documentation:
- Mid-range specification and High-performance specification in the Splunk Enterprise Capacity Planning manual.
- Reference Hardware: Indexer in the Splunk Enterprise Capacity Planning manual.
- Prevent stale members by increasing operations log size in the Splunk Enterprise Admin manual.
| Deployment considerations for Splunk Enterprise Security | Performance reference for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!