Splunk® Enterprise

Capacity Planning Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Performance checklist

These guidelines help you decide when to distribute your Splunk Enterprise deployment.

This questionnaire assumes that you have a single-instance Splunk Enterprise deployment based on the reference architecture described in "Reference hardware."

Determine when to scale your Splunk Enterprise deployment

Before you consider when to scale, estimate how much data you need to index and whether you need more than one concurrent Splunk Enterprise user to search that data.

Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing amount and user count falls within the capabilities of a single server, you might have to distribute your deployment based on the types of searches you use and whether you use summary indexes.

To run a Splunk app or solution in your Splunk environment, or to create elements that generate a large number of saved searches, you might have to distribute Splunk Enterprise components across a number of machines.

Question 1: Do you want to create or run a Splunk app, alert, or solution that executes a large number (more than 8 concurrently) of saved searches?

A saved search is a search that a user saves in Splunk Enterprise to make it available for later use. The number of saved searches, especially those that run concurrently, has a direct impact on a Splunk server's performance. If you answer No, then go to Question 2. You don't yet need to consider scaling your Splunk Enterprise deployment to multiple machines.

If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines.

Question 2: Do you need to index more than 2GB of data per day?

Question 3: Do you need more than two users signed in at one time?

If you answer No to questions 2 and 3, then your Splunk Enterprise instance can share one of the reference servers with other services, with the caveat that Splunk Enterprise must have sufficient disk I/O bandwidth on the shared machine.

If you answer Yes to question 2 or 3, then proceed to Question 4.

Caution To deploy Splunk Enterprise on Windows, do not share full Splunk Enterprise services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. Those services are often disk I/O intensive and can reduce indexing and search performance. Additionally, make sure that antivirus software installed on the server does not scan the Splunk Enterprise installation directory.

Question 4: Do you need to index more than 250GB per day?

Question 5: Do you need more than four concurrent users?

If you answer No to questions 4 and 5, then a single dedicated Splunk Enterprise instance running on a reference machine should be able to handle indexing and search workload.

If you answer Yes to question 4 or 5, then go to Question 6.

Question 6: Do you need more than 500GB of total storage?

See "How Splunk Enterprise calculates disk storage."

If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you might need to add fast storage to the system to account for the increased disk usage.

If you answer Yes, then consider scaling your deployment to additional indexers to handle the increased demand of indexing and searching.

Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?

Searches that cover large quantities of data and return small sets of results are called super-sparse searches. These searches require lots of disk I/O, because the indexer must search a number of buckets to find the data you're looking for.

If you answer No, then you do not need to scale your deployment. However, adding additional indexers improves both indexing and search performance.

If you answer Yes, then consider scaling your deployment.

PREVIOUS
Reference hardware
  NEXT
Summary of performance recommendations

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Comments

Why do we say "If you answer No to questions 4 and 5, then a single dedicated Splunk Enterprise instance running on a reference machine should be able to handle indexing and search workload." but on the next page claim that 250 GB requires separating the SH and Indexer? @ 250/day a single server should suffice, but the matrix on the next page shows otherwise.

Adauria splunk
April 21, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters