Architecting Splunk Deployment
Architecting Splunk Deployment
- Scale Splunk Enterprise functionality to handle the data needs for enterprises of any size and complexity.
- Access diverse or dispersed data sources.
- Achieve high availability and ensure disaster recovery with data replication and multisite deployment.
Splunk Enterprise performs three key functions as it processes data:
- It ingests data from files, the network, or other sources.
- It parses and indexes the data.
- It runs searches on the indexed data.
Types of processing components
There are three main types of processing components:
- Forwarders
- Indexers
- Search heads
- Data input.Data enters the system through forwarders, which consume external data, perform a small amount of preprocessing on it, and then forward the data to the indexers.
- Two or three indexers receive, index, and store incoming data from the forwarders. The indexers also search that data, in response to requests from the search head. The indexers reside on dedicated machines.
- Search management.A single search head performs the search management function. It handles search requests from users and distributes the requests across the set of indexers, which perform the actual searches on their local data. The search head then consolidates the results from all the indexers and serves them to the users.
An Indexer cluster is a group of Splunk Enterprise indexers that are configured to replicate each other’s’ data, so that the system keeps multiple copies of all data.
- They include a capability to coordinate configuration updates easily across all indexers in the cluster.
- They include a built-in distributed search capability.
- They feature indexer discovery, which enables the set of forwarders to automatically load-balance across all indexers in the cluster.
The data pipeline has these segments:
- Input
- Paring
- Indexing
- Search
The correspondence between the three typical processing tiers and the four data pipeline segments is this:
- The data input tier handles the input segment.
- The indexing tier handles the parsing and indexing segments.
- The search management tier handles the search segment.
Types of management components
A deployment usually includes one or more of these management components:
- The license master handles Splunk Enterprise licensing.
- The monitoring console performs centralized monitoring of the entire deployment.
- The deployment server updates configurations and distributes apps to processing components, primarily forwarders.
- The “cluster master”, coordinates the activities of an indexer cluster. It also handles updates for indexer clusters.
- The search head cluster deployer handles updates for search head cluster.
These are some of the main types of deployments, based on size:
- A single instance that combines indexing and search management functions.
- Small enterprise -> One search head with two or three indexers.
- Medium enterprise -> A small search head cluster, with several indexers.
- Large enterprise -> A large search head cluster, with large numbers of indexers.
Departmental | Small enterprise deployment:
Single search head with multiple indexers
|
Medium to large enterprise deployment:
Search head cluster with multiple indexers
|
· One combined indexer/search head
· Multiple forwarders
|
· one search head
· Multiple indexers · Multiple forwarders |
· One search head cluster, containing multiple search heads
· Multiple indexers · Multiple forwarders |
Use case
Characteristics of this type of deployment include: · Indexing volume of under 20GB/day. · A few users, typically less than 10. · A relatively small number of forwarders sending data to the instance, typically less than 10 and rarely exceeding 100.
|
Use case
This distributed search scenario provides the first level of horizontal scaling. It allows users to run searches across a set of indexers. As your needs increase further, you can add more indexers. Characteristics of this type of deployment include: · Indexing volume between 20 and 100GB/day. · Between 10 and 100 users. · Up to several hundred forwarders feeding data to the indexers. The forwarders typically make use of load balancing to distribute the data across the set of indexers. |
Medium enterprise deployment use case
A medium enterprise deployment provides greater horizontal scaling than a small enterprise deployment. It services larger numbers of users and searches. As your needs continue to increase, you can continue to add indexers and search heads. Characteristics of this type of deployment include: · Indexing volume between 100-300GB/day. · Users numbering possibly a hundred or more. · Up to a few thousand forwarders feeding load-balanced data to the indexers. |
Large enterprise deployment use case
A large enterprise deployment provides even greater horizontal scaling. Characteristics of this type of deployment include: · Indexing volume ranging from 300GB to many TBs per day. · A large number of users, potentially numbering in the several hundred. · Many thousands of forwarders.
|
||
http://docs.splunk.com/Documentation/Splunk/7.0.3/Deploy/Deploymentcharacteristics |
Design considerations also change as the deployment scales. | ||||
This table summarizes some of the issues you need to consider when designing your deployment. | ||||
Departmental | Small enterprise | Medium enterprise | Large enterprise | |
Forwarder issues | Management, monitoring | Load balancing, management, monitoring | Load balancing, management, monitoring, intermediate forwarders | Load balancing, management, monitoring, intermediate forwarders |
Search issues | User counts, alerts, apps | Search head/indexer knowledge management, user counts | Search head/indexer knowledge management, user counts, search head clustering, job servers | Search head/indexer knowledge management, user counts, search head clustering, job servers |
Scheduled search workload | Alerts, app/dashboard dependent, summary searches | Alerts, app/dashboard dependent, summary searches | Alerts, app/dashboard dependent, summary searches, job server | Alerts, app/dashboard dependent, summary searches, job server, API/SDK |
Input types | Network, scripted | Network, scripted, batch, integrations | Network, scripted, batch, integrations | Network, scripted, batch, integrations |
Availability | Platform-dependent (RAID, power supplies) | Data fabric (forwarder load balancing, storage, index replication) | User interface (search head clustering, load balancers); data fabric (forwarder load balancing, storage, index replication) | User interface (search head clustering, load balancers); data fabric (forwarder load balancing, storage, index replication) |
Recoverability | Backup, retention | Backup, index replication, bucket/index restoration | Backup, index replication, bucket/index restoration | Backup, index replication, bucket/index restoration |
Accessibility | Local vs. enterprise authentication | Authentication method | Authentication method | Authentication method |
Staffing | Admin: 0.5-1 person; search/dashboard/appdev/ knowledge manager: 0.25-1 person | Admin: 0.5-1 person; search/dashboard/appdev/ knowledge manager: 0.5-1.5 persons | Admin/architect: 1-2 persons; knowledge manager: 0.5-2 persons; search/dashboard/appdev: 1-3 persons; program/project manager: 1 person | Admin: 2-4+ persons; architect: 1+ persons; knowledge manager: 2-5+ persons; search/dashboard/appdev: 2-6+ persons; program manager: 1 person; project manager: 0.5-2 persons |
Departmental | Small enterprise | Medium enterprise | Large enterprise | |
Indexing volume (daily) | 0-20GB | 20-100GB | 100-300GB | 300GB-1TB+ |
# of forwarders | Median < 10; maximum 100 | Median in the 10’s; maximum in the 100’s | Median in the 10’s; maximum in the low 1000’s | Median in the 10’s; maximum in the 1000’s |
# of users | Median < 10 | Median in the 10’s | Median in the 10’s; maximum in the low 100’s | Median in the 10’s; maximum 500+ |
# of apps (pre-packaged and customer-developed, combined) | 1-10 | 1 – 10 | 1 – 20+ | 10 – 50 |
Indexing tier | 1 indexer | 2-3 indexers, possibly in a cluster | 4-9 indexers, possibly in a cluster | 10+ indexers, possibly in a cluster |
Search management tier | Combined with indexer | 1 standalone search head | 3 search heads in a cluster | 3+ search heads in a cluster |
Configuration management function | Manual configuration or deployment server | Manual configuration or deployment server | Deployment server or 3rd party tool for forwarders and indexers. Deployer for search head cluster. | Deployment server or 3rd party tool for forwarders and indexers. Deployer for search head cluster. |