Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Performance questionnaire


This topic helps you make the choice on whether or not to distribute your Splunk Enterprise deployment.

This questionnaire is for a single-server Splunk Enterprise deployment based on the reference architecture described in "Reference hardware."

Determine when to scale your Splunk Enterprise deployment

Before you consider whether or not to scale, estimate how much data you need to index, and whether or not you need more than one concurrent Splunk user to search that data.

Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing amount and user count falls within the capabilities of a single server, you might have to distribute your deployment based on the types of searches you employ, and whether or not you use summary indexes.

If you want to run a Splunk app or solution in your Splunk environment, or you create elements that generate a large number of saved searches, you might have to distribute Splunk Enterprise components across a number of machines.

Question 1: Do you want to create or run a Splunk app, alert or solution that executes a large number of saved searches (more than 8 concurrently)?

A saved search is a search that a user saves to make available for later use. The number of saved searches - especially those run concurrently - directly impacts a Splunk server's performance. If you answered "NO" to this question, then proceed to Question 2. You don't need to consider scaling your Splunk Enterprise deployment to multiple machines just yet.

However, if you answered "YES" then you should scale your Splunk Enterprise deployment to multiple machines. Review detailed information on hardware capacity planning for distributed Splunk Enterprise deployments in "Hardware capacity planning for a distributed Splunk Deployment" in the Distributed Deployment Manual.

Question 2: Do you need to index more than 2 GB of data per day?

Question 3: Do you need more than 2 users signed in at one time?

If the answer to both questions is "NO" then your Splunk Enterprise instance can safely share one of the reference servers with other services, with the caveat that Splunk Enterprise must have sufficient disk I/O bandwidth on the shared machine.

If you answered "YES" to either question then proceed to Question 4.

Note: If you are deploying Splunk Enterprise on Windows, you must not share full Splunk Enterprise services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. This is because those services are often very disk I/O intensive, and can dramatically reduce indexing and search performance. Additionally, you must ensure that any anti-virus software installed on the server does not scan the Splunk Enterprise installation directory.

Question 4: Do you need to index more than 250 GB per day?

Question 5: Do you need more than 4 concurrent users?

If the answer to both questions is "NO" then a single dedicated Splunk Enterprise server of our reference architecture should be able to handle your workload.

Question 6: Do you need more than 500GB of total storage?

Read "How Splunk Enterprise calculates disk storage" to learn how Splunk Enterprise calculates disk storage.

If the answer to this question is "NO" then a single dedicated reference server should be able to handle your workload, but you might need to add fast storage to the system to account for the increased space usage.

If the answer to this question is "YES" then you should consider scaling your deployment to additional indexers to cope with the increased demand of indexing and searching.

Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?

Searches that cover large quantities of data and return small sets of results are known as super-sparse searches. These searches require lots of disk I/O because the indexer must search a number of buckets to find the data you're looking for.

If the answer to this question is "NO" then you probably do not need to scale your deployment. However, adding additional indexers does improve both indexing and search performance.

If the answer to this question is "YES" then you should definitely consider scaling your deployment up. Read the following section to determine how Splunk Enterprise calculates storage.

Last modified on 15 July, 2014
Reference hardware
Summary of performance recommendations

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters