Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How deployments scale

The characteristics of a deployment vary according to the size. (Deployment size, for the purposes of this discussion, is based on daily indexing volume.) This topic attempts to identify, in broad terms, some key characteristics and considerations and indicate how they change as a deployment scales.

Note: Size is only one of many factors driving the needs and architecture of a deployment. The numbers presented in these tables are mere guidelines to help with planning. In addition, the scenarios described here are simply points on a size-based continuum. Actual numbers will vary considerably for each specific deployment.

Primary characteristics

The characteristics of a deployment change as it grows in size. This table gives you some idea of what to expect, with information on the Splunk components you'll need to deploy to meet the needs.

Departmental Small enterprise Medium enterprise Large enterprise
Indexing volume (daily) 0-20GB 20-100GB 100-300GB 300GB-1TB+
# of forwarders Median < 10; maximum 100 Median in the 10's; maximum in the 100's Median in the 10's; maximum in the low 1000's Median in the 10's; maximum in the 1000's
# of users Median < 10 Median in the 10's Median in the 10's; maximum in the low 100's Median in the 10's; maximum 500+
# of apps (pre-packaged and customer-developed, combined) 1-10 1-10 1-20+ 10-50
Indexer component 1 indexer 2-3 indexers 4-9 indexers 10+ indexers
Search head component Combined with indexer 1 stand-alone search head 2 search heads 3+ search heads
Configuration management function Manual configuration or deployment server Manual configuration or deployment server Deployment server or 3rd party tool Deployment server or 3rd party tool

Design considerations

This table summarizes some of the issues you need to consider when designing your deployment.

Departmental Small enterprise Medium enterprise Large enterprise
Forwarder issues Management, monitoring Load balancing, management, monitoring Load balancing, management, monitoring, intermediate forwarders Load balancing, management, monitoring, intermediate forwarders
Search issues User counts, alerts, apps Search head/indexer knowledge management, user counts Search head/indexer knowledge management, user counts, search head pooling, job servers Search head/indexer knowledge management, user counts, search head pooling, job servers
Scheduled search workload Alerts, app/dashboard dependent, summary searches Alerts, app/dashboard dependent, summary searches Alerts, app/dashboard dependent, summary searches, job server Alerts, app/dashboard dependent, summary searches, job server, API/SDK
Input types Network, scripted Network, scripted, batch, integrations Network, scripted, batch, integrations Network, scripted, batch, integrations
Availability Platform-dependent (RAID, power supplies) Data fabric (forwarder load balancing, storage, index replication) User interface (search head pooling, load balancers); data fabric (forwarder load balancing, storage, index replication) User interface (search head pooling, load balancers); data fabric (forwarder load balancing, storage, index replication)
Recoverability Backup, retention Backup, index replication, bucket/index restoration Backup, index replication, bucket/index restoration Backup, index replication, bucket/index restoration
Accessibility Local vs. enterprise authentication Authentication method Authentication method Authentication method
Staffing Admin: 0.5-1 person; search/dashboard/appdev/ knowledge manager: 0.25-1 person Admin: 0.5-1 person; search/dashboard/appdev/ knowledge manager: 0.5-1.5 persons Admin/architect: 1-2 persons; knowledge manager: 0.5-2 persons; search/dashboard/appdev: 1-3 persons; program/project manager: 1 person Admin: 2-4+ persons; architect: 1+ persons; knowledge manager: 2-5+ persons; search/dashboard/appdev: 2-6+ persons; program manager: 1 person; project manager: 0.5-2 persons

For information regarding training opportunities and professional services offerings, contact your Splunk sales representative.

PREVIOUS
Deployment toplogies
  NEXT
Hardware capacity planning for a distributed Splunk Enterprise deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters