Splunk® Enterprise

Capacity Planning Manual

Download manual as PDF

Download topic as PDF

Determine when to scale your Splunk Enterprise deployment

Before you consider when and how to scale your environment, estimate how much data you need to index, and how many users are searching that data.

Performance questionnaire

This questionnaire begins with a single-instance Splunk Enterprise deployment based on the reference architecture described in the Reference machine for single-instance deployments topic. These guidelines help you decide when to distribute your Splunk platform deployment.

Question 1: Do you need to index more than 2GB of data per day?

Question 2: Do you need more than two users signed in at one time?

If you answer No to questions 1 and 2, then your Splunk platform instance can share a reference machine for distributed deployments with other Splunk platform services.

If you answer Yes to question 1 or 2, then proceed to Question 3.

Note When deploying Splunk Enterprise on Windows OS, do not utilize a host that provides Active Directory or Exchange services, or runs machine virtualization software. Those services are I/O intensive and can reduce Splunk Enterprise indexing and search performance.

Question 3: Do you need to index more than 300GB per day?

Question 4: Do you need more than four concurrent users?

If you answer No to questions 3 and 4, then a single dedicated Splunk Enterprise instance running on a reference machine can provide sufficient resources for the indexing and search workload. Go to Question 5.

If you answer Yes to question 3 or 4, then scale your Splunk Enterprise deployment to multiple machines to handle the increased demand of indexing and searching. Go to Question 5.

Question 5: Do you need more than 600GB of total storage?

See How Splunk Enterprise calculates disk storage.

If you answer No, then a single dedicated reference machine should be able to handle indexing and search workload, but you can consider adding additional storage to the machine to account for increased disk usage due to higher retention. Go to Question 6.

If you answer Yes, then scale your Splunk Enterprise deployment to multiple machines to handle the increased demand of indexing and searching. Go to Question 6.

Question 6: Do you want to create or run a Splunk app, alert, or solution that executes more than 8 concurrent saved searches?

Question 7: Do you need to search large quantities of data for a small set (less than 1 per cent) of results?

If you answer No to questions 6 and 7, you might not require multiple indexers in your Splunk Enterprise deployment at this time.

If you answer Yes to questions 6 or 7, then scale your Splunk Enterprise deployment to multiple machines to handle the increased demand of indexing and searching.

PREVIOUS
Reference hardware
  NEXT
Summary of performance recommendations

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters