Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Deployment topologies

To help with your planning, this topic describes a scaled series of representative topologies:

  • Departmental
  • Small enterprise
  • Medium enterprise
  • Large enterprise

These representations are just points on a continuous scale, ranging from single-server deployments to deployments that provide enterprise-wide coverage for a large number of use cases.

In addition, the topic includes a brief section on indexer cluster topologies. Indexer clusters can be implemented at any of the enterprise levels.

Note: The terms "small enterprise", "medium enterprise", etc., do not specifically address the size of the enterprise using Splunk; rather, they are indicators of the breadth and depth of the functions Splunk supports in the enterprise. As awareness of the value Splunk can provide to an organization grows with continued success, the size of a deployment also typically grows. So, for example, a Fortune 500 company might start with a departmental-level, single-server Splunk installation for a very specific use case, and then, over time, transition through small enterprise and medium enterprise, to eventually adopt a large enterprise deployment providing key value to organizations and use cases distributed throughout the company.

Departmental

A departmental deployment is, as the term implies, designed to meet the relatively simple needs of a single department within an organization. These deployments typically consist of:

  • A single Splunk instance, combining the functionality of both an indexer and a search head.
  • Indexing volume of under 20GB/day.
  • A relatively small number of forwarders sending data to the instance, typically less than 10 and rarely exceeding 100.
  • Updates handled either manually or via a deployment server resident on the indexer.
  • A few users, typically less than 10.

This diagram shows the components of a departmental deployment:


Archetypal Deployment - Departmental 60.png

Small enterprise

A small enterprise deployment is the next step in continuum of Splunk deployments, providing a small degree of horizontal scaling. These deployments typically consist of:

  • Several Splunk instances; for example, two or three indexers and a single search head that allows users to run combined searches across all the indexers.
  • Indexing volume between 20-100GB/day.
  • Up to several hundred forwarders feeding data to the indexers. The forwarders typically make use of load balancing to distribute the data across the indexers.
  • Updates handled either manually or via a deployment server resident on the search head.
  • A larger number of users, but generally well under 100.

This diagram shows the components of a small enterprise deployment:


Archetypal Deployment - Enterprise Small 60.png

Medium enterprise

A medium enterprise deployment is further along the growth curve in Splunk deployments, with a larger degree of horizontal scaling. These deployments might consist of:

  • A larger number of Splunk instances; for example, five or more indexers and a couple of search heads.
  • Indexing volume between 100-300GB/day.
  • Up to a few thousand forwarders feeding load-balanced data to the indexers.
  • Updates handled by a separate configuration management tool, either a stand-alone deployment server or a third party tool like Puppet or Chef.
  • A larger number of users, possibly numbering a hundred or more.

This diagram shows the components of a medium enterprise deployment:


Archetypal Deployment - Enterprise Medium 60.png

Large enterprise

A large enterprise deployment handles functions across the enterprise, spanning multiple data centers. These deployments might consist of:

  • A large number of Splunk instances; for example, several dozen indexers and as many as 10 search heads.
  • Indexing volume ranging from 300GB to many TBs per day.
  • Many thousands of forwarders.
  • Updates handled by a separate configuration management tool, either a stand-alone deployment server or a third party tool like Puppet or Chef.
  • A large number of users, potentially numbering in the several hundreds.

This diagram shows the components of a large enterprise deployment:


Archetypal Deployment - Enterprise Large 60.png

Indexer clusters

Although the topologies described earlier do not address index replication, you can implement indexer clusters for any of the enterprise-level topologies, according to your availability requirements. Doing so will require an increase in the number of Splunk Enterprise instances beyond the numbers mentioned below. For example, here is a representative indexer cluster topology for a small enterprise deployment:


Archetypal Deployment - Cluster 60.png

This is an example of a small indexer cluster with three peer nodes (indexers) and a replication factor of 3. Since the replication factor of 3 means that all data will be replicated across all three peers, this scenario essentially replaces a very small enterprise with one to two indexers. Because of the way clusters store data, the cluster would not require fully three times as much storage as its non-cluster equivalent.

As the diagram indicates, you can scale a cluster topology in the same way that you scale any non-cluster Splunk deployment, adding peers and forwarders as needed. You can also add additional search heads.

For more information, read "About indexer clusters and index replication" in the Managing Indexers and Clusters of Indexers manual.

Search head clusters

You can combine multiple search heads into a search head cluster. This allows the search heads to share configurations, job scheduling, and search artifacts. As with indexer clusters, you can employ search head clusters for any enterprise-level topology. Here is a relatively small-scale search head cluster:

Searchhead cluster.png

This cluster consists of three search heads, with a load balancer to coordinate user requests and several search peers that hold the indexed data. See "About search head clustering" in the Distributed Search manual.

In place of multiple independent search peers, you can optionally deploy an indexer cluster.

PREVIOUS
Common deployment architecture overview
  NEXT
How deployments scale

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters