Splunk® Enterprise

Capacity Planning Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Performance checklist

This questionnaire assumes that you have a single-instance Splunk Enterprise deployment based on the reference architecture described in the Reference machine for single-instance deployments topic. These guidelines help you decide when to distribute your Splunk platform deployment.

Determine when to scale your Splunk Enterprise deployment

Before you consider when to scale, estimate how much data you need to index and if there will be more than one active user searching that data.

Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing volume and user count falls within the capabilities of a single machine, you might have to distribute your deployment based on the types of searches used and use of features such as summary indexing or data model acceleration. Also, running a Splunk app or solution on your environment, or attempting to support a large number of saved searches can require a distributed Splunk platform with the components spread across a number of machines.

Question 1: Do you want to create or run a Splunk app, alert, or solution that executes a large number (more than 8 concurrently) of saved searches?

A saved search is a search that a user saves in Splunk Enterprise to make it available for later use. The number of saved searches, especially those that run concurrently, has a direct impact on a Splunk server's performance. If you answer No, then go to Question 2. You don't yet need to consider scaling your Splunk Enterprise deployment to multiple machines.

If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines.

Question 2: Do you need to index more than 2GB of data per day?

Question 3: Do you need more than two users signed in at one time?

If you answer No to questions 2 and 3, then your Splunk platform instance can share a reference machine for distributed deployments with other Splunk platform services.

If you answer Yes to question 2 or 3, then proceed to Question 4.

Caution To deploy Splunk Enterprise on Windows, do not share full Splunk Enterprise services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. Those services are often disk I/O intensive and can reduce indexing and search performance. Additionally, make sure that antivirus software installed on the server does not scan the Splunk Enterprise installation directory.

Question 4: Do you need to index more than 300GB per day?

Question 5: Do you need more than four concurrent users?

If you answer No to questions 4 and 5, then a single dedicated Splunk Enterprise instance running on a reference machine should be able to handle indexing and search workload.

If you answer Yes to question 4 or 5, then go to Question 6.

Question 6: Do you need more than 600GB of total storage?

See How Splunk Enterprise calculates disk storage.

If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you might need to add fast storage to the system to account for the increased disk usage.

If you answer Yes, then consider scaling your deployment to additional indexers to handle the increased demand of indexing and searching.

Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?

Searches that cover large quantities of data and return small sets of results are called super-sparse searches. These searches require lots of disk I/O, because the indexer must search a number of buckets to find the data you're looking for.

If you answer No, then you do not need to scale your deployment. However, adding additional indexers will improve both indexing and search performance.

If you answer Yes, then consider scaling your deployment.

PREVIOUS
Reference hardware
  NEXT
Summary of performance recommendations

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters