These guidelines help you decide when to distribute your Splunk Enterprise deployment.
This questionnaire assumes that you have a single-instance Splunk Enterprise deployment based on the reference architecture described in "Reference hardware."
Determine when to scale your Splunk Enterprise deployment
Before you consider when to scale, estimate how much data you need to index and whether you need more than one concurrent Splunk Enterprise user to search that data.
Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing amount and user count falls within the capabilities of a single server, you might have to distribute your deployment based on the types of searches you use and whether you use summary indexes.
To run a Splunk app or solution in your Splunk environment, or to create elements that generate a large number of saved searches, you might have to distribute Splunk Enterprise components across a number of machines.
Question 1: Do you want to create or run a Splunk app, alert, or solution that executes a large number (more than 8 concurrently) of saved searches?
A saved search is a search that a user saves in Splunk Enterprise to make it available for later use. The number of saved searches, especially those that run concurrently, has a direct impact on a Splunk server's performance. If you answer No, then go to Question 2. You don't yet need to consider scaling your Splunk Enterprise deployment to multiple machines.
If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines.
Question 2: Do you need to index more than 2GB of data per day?
Question 3: Do you need more than two users signed in at one time?
If you answer No to questions 2 and 3, then your Splunk Enterprise instance can share one of the reference servers with other services, with the caveat that Splunk Enterprise must have sufficient disk I/O bandwidth on the shared machine.
If you answer Yes to question 2 or 3, then proceed to Question 4.
Caution To deploy Splunk Enterprise on Windows, do not share full Splunk Enterprise services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. Those services are often disk I/O intensive and can reduce indexing and search performance. Additionally, make sure that antivirus software installed on the server does not scan the Splunk Enterprise installation directory.
Question 4: Do you need to index more than 250GB per day?
Question 5: Do you need more than four concurrent users?
If you answer No to questions 4 and 5, then a single dedicated Splunk Enterprise instance running on a reference machine should be able to handle indexing and search workload.
If you answer Yes to question 4 or 5, then go to Question 6.
Question 6: Do you need more than 500GB of total storage?
If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you might need to add fast storage to the system to account for the increased disk usage.
If you answer Yes, then consider scaling your deployment to additional indexers to handle the increased demand of indexing and searching.
Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?
Searches that cover large quantities of data and return small sets of results are called super-sparse searches. These searches require lots of disk I/O, because the indexer must search a number of buckets to find the data you're looking for.
If you answer No, then you do not need to scale your deployment. However, adding additional indexers improves both indexing and search performance.
If you answer Yes, then consider scaling your deployment.
Summary of performance recommendations
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15