This topic helps you make the choice on whether or not to distribute your Splunk deployment.
This questionnaire is for a single-server Splunk deployment based on the reference architecture described in "Reference hardware."
Determine when to scale your Splunk deployment
Before you consider whether or not to scale, estimate how much data you need to index, and whether or not you need more than one concurrent Splunk user to search that data.
Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing amount and user count falls within the capabilities of a single server, you might have to distribute your deployment based on the types of searches you employ, and whether or not you use summary indexes.
If you want to run a Splunk app or solution in your Splunk environment, or you create elements that generate a large number of saved searches, you might have to distribute Splunk components across a number of machines.
Question 1: Do you want to create or run a Splunk app, alert or solution that executes a large number of saved searches (more than 8 concurrently)?
A saved search is a search that a user saves to make available for later use. The number of saved searches - especially those run concurrently - directly impacts a Splunk server's performance. If you answered "NO" to this question, then proceed to Question 2. You don't need to consider scaling your Splunk deployment to multiple machines just yet.
However, if you answered "YES" then you should scale your Splunk deployment to multiple machines. Review detailed information on hardware capacity planning for distributed Splunk deployments in "Hardware capacity planning for a distributed Splunk Deployment" in the Distributed Deployment Manual.
Question 2: Do you need to index more than 2 GB of data per day?
Question 3: Do you need more than 2 users signed in at one time?
If the answer to both questions is "NO" then your Splunk instance can safely share one of the reference servers with other services, with the caveat that Splunk must have sufficient disk I/O bandwidth on the shared machine.
If you answered "YES" to either question then proceed to Question 4.
Note: If you are deploying Splunk on Windows, you must not share full Splunk services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. This is because those services are often very disk I/O intensive, and can dramatically reduce indexing and search performance. Additionally, you must ensure that any anti-virus software installed on the server does not scan the Splunk installation directory.
Question 4: Do you need to index more than 100 GB per day?
Question 5: Do you need more than 4 concurrent users?
If the answer to both questions is "NO" then a single dedicated Splunk server of our reference architecture should be able to handle your workload.
Question 6: Do you need more than 500GB of total storage?
Read "How Splunk calculates disk storage" to learn how Splunk calculates disk storage.
If the answer to this question is "NO" then a single dedicated reference Splunk server should be able to handle your workload, but you might need to add fast storage to the system to account for the increased space usage.
If the answer to this question is "YES" then you should consider scaling your deployment to additional indexers to cope with the increased demand of indexing and searching.
Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?
Searches that cover large quantities of data and return small sets of results are known as super-sparse searches. These searches require lots of disk I/O because the indexer must search a number of buckets to find the data you're looking for.
If the answer to this question is "NO" then you probably do not need to scale your deployment. However, adding additional indexers does improve both indexing and search performance.
If the answer to this question is "YES" then you should definitely consider scaling your deployment up. Read the following section to determine how Splunk calculates storage.
Summary of performance recommendations
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18