Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Considerations for scaling deployments

Evaluate your hardware, indexers, log size, and search heads to scale your Splunk Enterprise Security deployments.

Hardware scaling considerations

You might need to increase the hardware specifications of your Enterprise Security deployment beyond the minimum hardware requirements based on your environment. Depending on your system configuration, refer to the mid-range or high-performance specifications for Splunk platform reference hardware.

Indexer scaling considerations

Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests.

Increase the number of indexers in your deployment to scale with higher search load and search concurrency. Since a collection of indexers can serve more than one search head, additional search heads using the same indexers as a search head hosting Enterprise Security can affect the total performance of your indexer tier and reduce the resources available to Enterprise Security.

The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.

Work with Splunk Professional Services to estimate deployment architecture if you plan to ingest 1 terabyte (TB) per day or more of data into Enterprise Security. See Splunk Customer Success.

Log size scaling considerations

In a search head cluster environment, syncing large KV Store lookups across the cluster members can fail and cause the KV Store to become stale. To mitigate this, increase the operations log size.

Search head scaling considerations

You might need to increase the number of search heads based on the number of concurrent ad-hoc searches, real time searches, and enabled detections. You might also need to increase the number of search heads based on the size of the asset and identity lookup files.

The following table provides information on scaling considerations for search heads when deploying Splunk Enterprise Security:

Factor Increase this specification
A large number of concurrent ad hoc searches Increase CPU cores and RAM
A large number of real-time searches being run or a large number of users logging in at the same time Increase CPU cores
A large number of enabled detections Increase RAM
Large asset and identity lookup files Increase RAM

The following tables provide guidance on how changing the data ingestion, data model acceleration, and search load might impact performance for Splunk Enterprise Security:

Deployment size Data ingestion per day Number of indexers Number of detections
Small 300 GB 3 20
Mid-range 1 TB 10 60
Mid-range to large 625 GB per day to 15 TB per day 24 60
Large 15 TB per day 150 100
Largest deployment tested in an on-premises search head cluster environment 45 TB with skip search rate of 4.9% 240 60
Largest deployment tested in on-premises single search head environment 25 TB with skip search rate of around 1% 300

See also

For more information on IOPS and other requirements to scale deployments, see the product documentation:

Last modified on 09 August, 2024
Deployment considerations for Splunk Enterprise Security   Performance reference for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters