This questionnaire assumes that you have a single-instance Splunk Enterprise deployment based on the reference architecture described in the Reference machine for single-instance deployments topic. These guidelines help you decide when to distribute your Splunk platform deployment.
Determine when to scale your Splunk Enterprise deployment
Before you consider when to scale, estimate how much data you need to index and if there will be more than one active user searching that data.
Depending on how much data you index and how many concurrent users you require, you might need to scale your environment to multiple machines. Even if your indexing volume and user count falls within the capabilities of a single machine, you might have to distribute your deployment based on the types of searches used and use of features such as summary indexing or data model acceleration. Also, running a Splunk app or solution on your environment, or attempting to support a large number of saved searches can require a distributed Splunk platform with the components spread across a number of machines.
Question 1: Do you want to create or run a Splunk app, alert, or solution that executes a large number (more than 8 concurrently) of saved searches?
A saved search is a search that a user saves in Splunk Enterprise to make it available for later use. The number of saved searches, especially those that run concurrently, has a direct impact on a Splunk server's performance. If you answer No, then go to Question 2. You don't yet need to consider scaling your Splunk Enterprise deployment to multiple machines.
If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines.
Question 2: Do you need to index more than 2GB of data per day?
Question 3: Do you need more than two users signed in at one time?
If you answer No to questions 2 and 3, then your Splunk platform instance can share a reference machine for distributed deployments with other Splunk platform services.
If you answer Yes to question 2 or 3, then proceed to Question 4.
Caution To deploy Splunk Enterprise on Windows, do not share full Splunk Enterprise services on servers that run Microsoft Exchange, Active Directory domain services, or machine virtualization software. Those services are often disk I/O intensive and can reduce indexing and search performance. Additionally, make sure that antivirus software installed on the server does not scan the Splunk Enterprise installation directory.
Question 4: Do you need to index more than 300GB per day?
Question 5: Do you need more than four concurrent users?
If you answer No to questions 4 and 5, then a single dedicated Splunk Enterprise instance running on a reference machine should be able to handle indexing and search workload.
If you answer Yes to question 4 or 5, then go to Question 6.
Question 6: Do you need more than 600GB of total storage?
If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you might need to add fast storage to the system to account for the increased disk usage.
If you answer Yes, then consider scaling your deployment to additional indexers to handle the increased demand of indexing and searching.
Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?
Searches that cover large quantities of data and return small sets of results are called super-sparse searches. These searches require lots of disk I/O, because the indexer must search a number of buckets to find the data you're looking for.
If you answer No, then you do not need to scale your deployment. However, adding additional indexers will improve both indexing and search performance.
If you answer Yes, then consider scaling your deployment.
Summary of performance recommendations
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11