Splunk Sizing Resources and Recommendations
Sizing Splunk is not always trivial, especially if it is used for other use cases in addition to uberAgent. We generally recommend working with one of our partners.
That being said, this page lists some basic recommendations as well as resources that should help with sizing Splunk. Before we start, please keep in mind that the only generic answer any good consultant will give is: “it depends”. Because it does.
Splunk Sizing Considerations
Hardware Resources: CPU and Disk
Splunk needs CPU and disk resources, RAM not so much (compared to some other workloads). Make sure you have enough disk space for the planned retention time as well as a disk subsystem that delivers good IOPS numbers.
Accelerated Data Model
uberAgent’s Splunk app makes use of an accelerated data model which speeds up searches by about 50-100x. The data model’s high-performance analytics store (HPAS) is located on the indexers. Generating the HPAS incurs some additional indexer CPU load and requires additional disk storage.
Heavy Forwarders
Splunk Heavy Forwarders (HFs) can often be a useful third tier, logically situated between the uberAgent endpoints and the Splunk indexers. If you are deploying uberAgent to tens of thousands of endpoints, keep in mind that high numbers of simultaneous network connections may place a significant load on the HFs. Monitor heavy forwarder performance and be prepared to scale out.
Splunk Sizing Recommendations
- Always start with a PoC and closely monitor Splunk performance during that phase.
- Measure uberAgent’s data volume, keeping in mind that optimization is often possible.
- Due to the accelerated data model, uberAgent’s Splunk load profile is somewhat similar to Splunk’s Enterprise Security (ES) app. When looking at sizing guides, base your calculations on the ES use case.
Splunk Sizing Resources
- Splunk’s Capacity Planning Manual and its chapter on reference hardware and its summary of performance recommendations
- The deployment planning chapter from Splunk’s Enterprise Security installation and upgrade manual
- Splunk’s inofficial storage sizing calculator
- Hurricane Labs’ Splunking Responsibly blog series. Part 1: considerations for managing limited system resources and Part 2: sizing your storage
- Aplura’s Splunk best practices