Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Hardware capacity planning for a distributed Splunk Enterprise deployment

If you have larger indexing or searching requirements, run Splunk Enterprise apps or solutions that generate or execute a lot of saved searches, or regularly employ I/O-intensive searches, then you should scale your deployment to address the increased resource overhead that those operations incur. For an overview of what a distributed Splunk Enterprise deployment is, review "Distributed Splunk Enterprise overview" in this manual.

In many cases, this involves using distributed search to run searches in parallel across multiple indexers at once. You can gather data from machines using Splunk Enterprise forwarders and, optionally, configure those servers to send data to multiple indexers at once to reduce search time. For information on the individual elements of a Splunk Enterprise deployment, read "Components of a Splunk Enterprise deployment" in the Installation Manual.

Estimate hardware requirements

While determining the hardware requirements for your distributed Splunk Enterprise deployment, there are a number of things you must consider.

You must understand how various Splunk Enterprise activities affect the resource overhead required to perform them. Each of the following activities has a direct impact on the overall performance of Splunk Enterprise:

  • The amount of data you index.
  • The number of concurrent users.
  • The number of saved searches you run.
  • The types of search you employ.
  • The number of apps or solutions you implement.
  • When you run apps, whether or not those apps execute a large number of saved searches.

When you add more indexers to a deployment, you increase the amount of available indexing capacity by reducing the indexing overhead per server. Consequently, reduced indexing overhead also means reduced search time.

But that is only half the story. While Splunk Enterprise scales across multiple indexers, the amount of indexing throughput becomes less important as either the number of concurrent users or saved searches increases. Additionally, depending on the kinds of searches you employ against your data, the resource needs for searching can become as important as the resource needs for indexing.

For additional information on estimating your hardware requirements, read the following topics, all in this manual:

Considerations for clusters

There are some additional hardware issues to consider if you're implementing Splunk Enterprise clusters. See "System requirements and other deployment considerations" in the Managing Indexers and Clusters manual.

How deployments scale
Distribute indexing and searching

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters