-
-
Splunk Sizing Resources and Recommendations
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Splunk Sizing Resources and Recommendations
Sizing Splunk is not always trivial, especially if it is used for other use cases in addition to uberAgent. We generally recommend working with one of our partners.
That being said, this page lists some basic recommendations as well as resources that should help with sizing Splunk. Before we start, please keep in mind that the only generic answer any good consultant will give is: "it depends". Because it does.
Splunk Sizing Considerations
Hardware Resources: CPU and Disk
Splunk needs CPU and disk resources, RAM not so much (compared to some other workloads). Make sure you have enough disk space for the planned retention time as well as a disk subsystem that delivers good IOPS numbers.
Accelerated Data Model
uberAgent’s Splunk app makes use of an accelerated data model which speeds up searches by about 50-100x. The data model’s high-performance analytics store (HPAS) is located on the indexers. Generating the HPAS incurs some additional indexer CPU load and requires additional disk storage.
Heavy Forwarders
Splunk Heavy Forwarders (HFs) can often be a useful third tier, logically situated between the uberAgent endpoints and the Splunk indexers. If you are deploying uberAgent to tens of thousands of endpoints, keep in mind that high numbers of simultaneous network connections may place a significant load on the HFs. Monitor heavy forwarder performance and be prepared to scale out.
Splunk Sizing Recommendations
- Always start with a PoC and closely monitor Splunk performance during that phase.
- Measure uberAgent’s data volume, keeping in mind that optimization is often possible.
- Due to the accelerated data model, uberAgent’s Splunk load profile is somewhat similar to Splunk’s Enterprise Security (ES) app. When looking at sizing guides, base your calculations on the ES use case.
Splunk Sizing Resources
- Splunk’s Capacity Planning Manual and its chapter on reference hardware and its summary of performance recommendations
- The deployment planning chapter from Splunk’s Enterprise Security installation and upgrade manual
- Splunk’s inofficial storage sizing calculator
- Hurricane Labs’ Splunking Responsibly blog series. Part 1: considerations for managing limited system resources and Part 2: sizing your storage
- Aplura’s Splunk best practices
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.