SlideShare une entreprise Scribd logo

Scale Splunk

Télécharger en tant que PPTX, PDF
S
Splunk

Scaling splunk 101 - the easy slides

Technologie
1  sur  12
Scaling Splunk 101Quick Overview of Scaling Splunk with Commodity HardwareErik SwanOct, 09 ** Slides intentionally ugly, no designers were harmed during construction
Single Server InstallCommodity Architecture Simplest Splunk install is a single server that functions as both indexer and search head. A single box can easily index 100-200G per day, BUT for fast searching its best to use more than one box. Data from Splunk Forwarders, Syslog, Files, etc. Splunk (all in one) Users
Improving Search and Indexing Performance Splunk scales search and indexing performance horizontally by adding more indexers and in some cases scaling out a search tier. By spreading the incoming load across more indexers you index faster. Perhaps more importantly, by spreading the indexed data across more indexers your search performance improves linearly as well. Consider that every doubling of hardware will double your index and search performance and don’t be shy of adding 10’s of servers. RULE #1 – If your searches are slow, add another box!
Adding a Search Head By splitting out a Search Head, search performance is improved and load is taken off the indexer for faster indexing. Best to add sooner than later. Best for volumes between 5-100G p/day 1 Indexer 1 Search Head Data from Splunk Forwarders, Syslog, Files, etc. Spunk Indexer Splunk Search Head Users
Adding a second Indexer As volume goes up beyond 100G OR you want to improve search performance its best to add a second Indexer. **Remember adding indexers improves search performance linearly as well. Best for volumes 20-200G p/day 2 Indexers 1 Search Head Data from Splunk Forwarders, Syslog, Files, etc. Spunk Indexer Spunk Indexer Splunk Search Head Users
Adding additional Indexers For every new ~100G, or again to improve search performance add another indexer. RULE #1: If searches are slow, add an another indexer. For volumes from 200G-1T p/day TBs/day from Splunk Forwarders and Syslog Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Users
Adding additional Indexers For every new ~100G, or again to improve search performance add another indexer. RULE #1: If searches are slow, add an another indexer. For volumes from 200G-1T p/day TBs/day from Splunk Forwarders and Syslog Assume 100G p/day: Use Case : Log archival and some periodic troubleshooting 1 Commodity Server Use Case #2 : Archival, troubleshooting and summary reporting 1 Index Server, 1 Search Server Use Case #3: Archival, Trouble Shooting, and Reporting 2 Index Servers, 1 Search Server Use Case #4: Many ( >2 ) users doing constant use 3+ Index Servers, 1 Search Server Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Users
Adding additional Search Heads TBs/day from Splunk Forwarders and Syslog Adding more Search Heads is a convenient way to improve search performance Add an additional Search Heads when: It makes sense to partition users. Too offload summary or scheduled searches. Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Splunk Search Head (n) Search Heads 1~ 4T each p/day Load Bal. Users
Adding additional Search Heads TBs/day from Splunk Forwarders and Syslog Assuming a load of 1T p/day: Use Case #1: Log archival and some periodic troubleshooting 4 Index Servers, 1 Search Server Use Case #2: Archival, trouble shooting and some summary reporting 8+ Index Server, 1 Search Server Use Case #3: Archival, Trouble Shooting, and Reporting 16+ Index Servers, 1 Search Server Use Case #4: Many ( >2 ) users doing constant use 20+ Index Servers, 1 Search Server For every new ~TB p/day, add another search head. For volumes > 2T p/day (n) Indexers each <100G p/day (m) Search Heads for every ~1T p/day Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Splunk Search Head (n) Search Heads 1~ 4T each p/day Load Bal. Users
Long term storage, add a SAN TBs/day from Splunk Forwarders and Syslog Long term storage can not be kept on local commodity IO. If wanting to keep more than can be kept on local indexer disk, splunk can be configured to use SAN or other storage device. Best for keeping >30 day – multi year data. Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Tier 1 SAN Splunk Search Head Splunk Search Head Load Bal. Users
Multi-datacenter or deployment If you have multiple data centers, it is often best to leave the data local and use distributed search between two deployments. If you have data that naturally partitions such that users would rarely search across the data, partitioning entire deployments can help. Obviously for DR as well.
Additional Scaling Topics Summary Indexing – If your searches are slow consider using summary indexing: video - http://www.splunk.com/view/SP-CAAACZW docs - http://www.splunk.com/base/Documentation/4.0.5/User/UseSummaryIndexingForIncreasedReportingEfficiency Routing High Volume data to Separate Index – If you are searching or reporting on a source that is dwarfed by the volume of another source, you can partition data such that the high volume source is in its own index: docs - http://www.splunk.com/base/Documentation/latest/Admin/Setupmultipleindexes#Why_have_multiple_indexes.3F

Recommandé

Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix themWorst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Best Practices for Splunk Deployments
Best Practices for Splunk DeploymentsBest Practices for Splunk Deployments
Best Practices for Splunk Deployments
Splunk
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
Splunk
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
Gabrielle Knowles
 
Massive Data Processing in Adobe Using Delta Lake
Massive Data Processing in Adobe Using Delta LakeMassive Data Processing in Adobe Using Delta Lake
Massive Data Processing in Adobe Using Delta Lake
Databricks
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
Databricks
 

Recommandé

Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix themWorst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Best Practices for Splunk Deployments
Best Practices for Splunk DeploymentsBest Practices for Splunk Deployments
Best Practices for Splunk Deployments
Splunk
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
Splunk
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
Gabrielle Knowles
 
Massive Data Processing in Adobe Using Delta Lake
Massive Data Processing in Adobe Using Delta LakeMassive Data Processing in Adobe Using Delta Lake
Massive Data Processing in Adobe Using Delta Lake
Databricks
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
Databricks
 
Elasticsearch
ElasticsearchElasticsearch
Elasticsearch
Divij Sehgal
 
2020.02.06 우리는 왜 glue를 버렸나?
2020.02.06 우리는 왜 glue를 버렸나?2020.02.06 우리는 왜 glue를 버렸나?
2020.02.06 우리는 왜 glue를 버렸나?
Thomas Hyun (동현) Park
 
Reshape Data Lake (as of 2020.07)
Reshape Data Lake (as of 2020.07)Reshape Data Lake (as of 2020.07)
Reshape Data Lake (as of 2020.07)
Eric Sun
 
Zero to Snowflake Presentation
Zero to Snowflake Presentation Zero to Snowflake Presentation
Zero to Snowflake Presentation
Brett VanderPlaats
 
Logging and observability
Logging and observabilityLogging and observability
Logging and observability
Anton Drukh
 
Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
Databricks
 
Performance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterPerformance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla Cluster
ScyllaDB
 
The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
Splunk
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-mo
Mohamad Hassan
 
Snowflake for Data Engineering
Snowflake for Data EngineeringSnowflake for Data Engineering
Snowflake for Data Engineering
Harald Erb
 
Get Savvy with Snowflake
Get Savvy with SnowflakeGet Savvy with Snowflake
Get Savvy with Snowflake
Matillion
 
Building the Enterprise Data Lake - Important Considerations Before You Jump In
Building the Enterprise Data Lake - Important Considerations Before You Jump InBuilding the Enterprise Data Lake - Important Considerations Before You Jump In
Building the Enterprise Data Lake - Important Considerations Before You Jump In
SnapLogic
 
Snowflake SnowPro Core Cert CheatSheet.pdf
Snowflake SnowPro Core Cert CheatSheet.pdfSnowflake SnowPro Core Cert CheatSheet.pdf
Snowflake SnowPro Core Cert CheatSheet.pdf
Dustin Liu
 
ABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS GlueABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS Glue
Amazon Web Services
 
Master the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - SnowflakeMaster the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - Snowflake
Matillion
 
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
SANG WON PARK
 
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Spark Summit
 
Snowflake Data Governance
Snowflake Data GovernanceSnowflake Data Governance
Snowflake Data Governance
ssuser538b022
 
Demystifying Data Warehousing as a Service - DFW
Demystifying Data Warehousing as a Service - DFWDemystifying Data Warehousing as a Service - DFW
Demystifying Data Warehousing as a Service - DFW
Kent Graziano
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
Splunk
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data Science
Splunk
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
Dimitri McKay - CISSP
 

Contenu connexe

Tendances

Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
Databricks
 
The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
Splunk
 
ABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS GlueABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS Glue
Amazon Web Services
 
Master the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - SnowflakeMaster the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - Snowflake
Matillion
 
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Spark Summit
 

Tendances (20)

Elasticsearch
ElasticsearchElasticsearch
Elasticsearch
 
2020.02.06 우리는 왜 glue를 버렸나?
2020.02.06 우리는 왜 glue를 버렸나?2020.02.06 우리는 왜 glue를 버렸나?
2020.02.06 우리는 왜 glue를 버렸나?
 
Reshape Data Lake (as of 2020.07)
Reshape Data Lake (as of 2020.07)Reshape Data Lake (as of 2020.07)
Reshape Data Lake (as of 2020.07)
 
Zero to Snowflake Presentation
Zero to Snowflake Presentation Zero to Snowflake Presentation
Zero to Snowflake Presentation
 
Logging and observability
Logging and observabilityLogging and observability
Logging and observability
 
Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
 
Performance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterPerformance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla Cluster
 
The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-mo
 
Snowflake for Data Engineering
Snowflake for Data EngineeringSnowflake for Data Engineering
Snowflake for Data Engineering
 
Get Savvy with Snowflake
Get Savvy with SnowflakeGet Savvy with Snowflake
Get Savvy with Snowflake
 
Building the Enterprise Data Lake - Important Considerations Before You Jump In
Building the Enterprise Data Lake - Important Considerations Before You Jump InBuilding the Enterprise Data Lake - Important Considerations Before You Jump In
Building the Enterprise Data Lake - Important Considerations Before You Jump In
 
Snowflake SnowPro Core Cert CheatSheet.pdf
Snowflake SnowPro Core Cert CheatSheet.pdfSnowflake SnowPro Core Cert CheatSheet.pdf
Snowflake SnowPro Core Cert CheatSheet.pdf
 
ABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS GlueABD315_Serverless ETL with AWS Glue
ABD315_Serverless ETL with AWS Glue
 
Master the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - SnowflakeMaster the Multi-Clustered Data Warehouse - Snowflake
Master the Multi-Clustered Data Warehouse - Snowflake
 
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
OLAP for Big Data (Druid vs Apache Kylin vs Apache Lens)
 
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
Clickstream Analysis with Spark—Understanding Visitors in Realtime by Josef A...
 
Snowflake Data Governance
Snowflake Data GovernanceSnowflake Data Governance
Snowflake Data Governance
 
Demystifying Data Warehousing as a Service - DFW
Demystifying Data Warehousing as a Service - DFWDemystifying Data Warehousing as a Service - DFW
Demystifying Data Warehousing as a Service - DFW
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 

En vedette

SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
Georg Knon
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced Session
Splunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
Splunk
 

En vedette (20)

Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data Science
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Thin Server Architecture
Thin Server ArchitectureThin Server Architecture
Thin Server Architecture
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
 
Mainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets ZenMainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets Zen
 
SplunkLive! Frankfurt 2017 - Markant
SplunkLive! Frankfurt 2017 - MarkantSplunkLive! Frankfurt 2017 - Markant
SplunkLive! Frankfurt 2017 - Markant
 
SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
 
Supporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with SplunkSupporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with Splunk
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced Session
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
 
What's New in Splunk 6.3
What's New in Splunk 6.3What's New in Splunk 6.3
What's New in Splunk 6.3
 
Thin Server Architecture SPA, 5 years old presentation
Thin Server Architecture SPA, 5 years old presentationThin Server Architecture SPA, 5 years old presentation
Thin Server Architecture SPA, 5 years old presentation
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the Endpoint
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
Splunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven InsightsSplunk Discovery Day Hamburg - Data Driven Insights
Splunk Discovery Day Hamburg - Data Driven Insights
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – Availity
 

Similaire à Scale Splunk

Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
Landon Robinson
 
Interactive querying of streams using Apache Pulsar_Jerry peng
Interactive querying of streams using Apache Pulsar_Jerry pengInteractive querying of streams using Apache Pulsar_Jerry peng
Interactive querying of streams using Apache Pulsar_Jerry peng
StreamNative
 

Similaire à Scale Splunk (20)

Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Splunk best practices
Splunk best practicesSplunk best practices
Splunk best practices
 
Taking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureTaking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – Architecture
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Taking Splunk to the Next Level - Technical
Taking Splunk to the Next Level - TechnicalTaking Splunk to the Next Level - Technical
Taking Splunk to the Next Level - Technical
 
Taking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureTaking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – Architecture
 
Getting Started with Splunk
Getting Started with SplunkGetting Started with Splunk
Getting Started with Splunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous Applications
 
Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
Spark + AI Summit 2019: Headaches and Breakthroughs in Building Continuous Ap...
 
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
 
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
 
Interactive querying of streams using Apache Pulsar_Jerry peng
Interactive querying of streams using Apache Pulsar_Jerry pengInteractive querying of streams using Apache Pulsar_Jerry peng
Interactive querying of streams using Apache Pulsar_Jerry peng
 
InfiniFlux Feature perf comp_v1
InfiniFlux Feature perf comp_v1InfiniFlux Feature perf comp_v1
InfiniFlux Feature perf comp_v1
 
IniniFlux Feature_Perf_Comparison
IniniFlux Feature_Perf_ComparisonIniniFlux Feature_Perf_Comparison
IniniFlux Feature_Perf_Comparison
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
 
PostgreSQL: present and near future
PostgreSQL: present and near futurePostgreSQL: present and near future
PostgreSQL: present and near future
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Scale Splunk

  • 1. Scaling Splunk 101Quick Overview of Scaling Splunk with Commodity HardwareErik SwanOct, 09 ** Slides intentionally ugly, no designers were harmed during construction
  • 2. Single Server InstallCommodity Architecture Simplest Splunk install is a single server that functions as both indexer and search head. A single box can easily index 100-200G per day, BUT for fast searching its best to use more than one box. Data from Splunk Forwarders, Syslog, Files, etc. Splunk (all in one) Users
  • 3. Improving Search and Indexing Performance Splunk scales search and indexing performance horizontally by adding more indexers and in some cases scaling out a search tier. By spreading the incoming load across more indexers you index faster. Perhaps more importantly, by spreading the indexed data across more indexers your search performance improves linearly as well. Consider that every doubling of hardware will double your index and search performance and don’t be shy of adding 10’s of servers. RULE #1 – If your searches are slow, add another box!
  • 4. Adding a Search Head By splitting out a Search Head, search performance is improved and load is taken off the indexer for faster indexing. Best to add sooner than later. Best for volumes between 5-100G p/day 1 Indexer 1 Search Head Data from Splunk Forwarders, Syslog, Files, etc. Spunk Indexer Splunk Search Head Users
  • 5. Adding a second Indexer As volume goes up beyond 100G OR you want to improve search performance its best to add a second Indexer. **Remember adding indexers improves search performance linearly as well. Best for volumes 20-200G p/day 2 Indexers 1 Search Head Data from Splunk Forwarders, Syslog, Files, etc. Spunk Indexer Spunk Indexer Splunk Search Head Users
  • 6. Adding additional Indexers For every new ~100G, or again to improve search performance add another indexer. RULE #1: If searches are slow, add an another indexer. For volumes from 200G-1T p/day TBs/day from Splunk Forwarders and Syslog Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Users
  • 7. Adding additional Indexers For every new ~100G, or again to improve search performance add another indexer. RULE #1: If searches are slow, add an another indexer. For volumes from 200G-1T p/day TBs/day from Splunk Forwarders and Syslog Assume 100G p/day: Use Case : Log archival and some periodic troubleshooting 1 Commodity Server Use Case #2 : Archival, troubleshooting and summary reporting 1 Index Server, 1 Search Server Use Case #3: Archival, Trouble Shooting, and Reporting 2 Index Servers, 1 Search Server Use Case #4: Many ( >2 ) users doing constant use 3+ Index Servers, 1 Search Server Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Users
  • 8. Adding additional Search Heads TBs/day from Splunk Forwarders and Syslog Adding more Search Heads is a convenient way to improve search performance Add an additional Search Heads when: It makes sense to partition users. Too offload summary or scheduled searches. Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Splunk Search Head (n) Search Heads 1~ 4T each p/day Load Bal. Users
  • 9. Adding additional Search Heads TBs/day from Splunk Forwarders and Syslog Assuming a load of 1T p/day: Use Case #1: Log archival and some periodic troubleshooting 4 Index Servers, 1 Search Server Use Case #2: Archival, trouble shooting and some summary reporting 8+ Index Server, 1 Search Server Use Case #3: Archival, Trouble Shooting, and Reporting 16+ Index Servers, 1 Search Server Use Case #4: Many ( >2 ) users doing constant use 20+ Index Servers, 1 Search Server For every new ~TB p/day, add another search head. For volumes > 2T p/day (n) Indexers each <100G p/day (m) Search Heads for every ~1T p/day Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Splunk Search Head Splunk Search Head (n) Search Heads 1~ 4T each p/day Load Bal. Users
  • 10. Long term storage, add a SAN TBs/day from Splunk Forwarders and Syslog Long term storage can not be kept on local commodity IO. If wanting to keep more than can be kept on local indexer disk, splunk can be configured to use SAN or other storage device. Best for keeping >30 day – multi year data. Spunk Indexer Spunk Indexer Spunk Indexer (n) Indexers Tier 1 SAN Splunk Search Head Splunk Search Head Load Bal. Users
  • 11. Multi-datacenter or deployment If you have multiple data centers, it is often best to leave the data local and use distributed search between two deployments. If you have data that naturally partitions such that users would rarely search across the data, partitioning entire deployments can help. Obviously for DR as well.
  • 12. Additional Scaling Topics Summary Indexing – If your searches are slow consider using summary indexing: video - http://www.splunk.com/view/SP-CAAACZW docs - http://www.splunk.com/base/Documentation/4.0.5/User/UseSummaryIndexingForIncreasedReportingEfficiency Routing High Volume data to Separate Index – If you are searching or reporting on a source that is dwarfed by the volume of another source, you can partition data such that the high volume source is in its own index: docs - http://www.splunk.com/base/Documentation/latest/Admin/Setupmultipleindexes#Why_have_multiple_indexes.3F