Skip to main content
 
Splunk Lantern

Scaling your Splunk Enterprise deployment

 

To help you support larger environments, where data originates on many machines and where many users need to search the data, the friendly Splunk Customer Success team created this quick reference list that highlights how customers can size the number of indexers they need, as well as use a deployment server for a single interface to manage configuration files, apps, and content updates to most Splunk Enterprise components: forwarders, non-clustered indexers, and search heads in a Splunk Enterprise distributed deployment.

Capacity planning

  • Read the Capacity Planning Manual.
  • Use the resource usage dashboards on the Monitoring Console to identify the times during the day your data load is at it's highest and lowest. Use those numbers to determine the total capacity for your deployment.
  • Look at the total and average indexing performance. Consult the resource usage dashboards to look for indexing pipelines bottlenecks.

Indexers

  • Begin your education track for Splunk Administrators. Enroll in the Education Track for Splunk Administrators to learn the concepts, tasks, and best practices for managing a single Splunk instance or a distributed deployment.
  • Lift the hood on the indexer. Find the buckets that store your data. How many hot buckets do you have? Do you have many warm buckets or just a few? See Managing Indexers and Clusters of Indexers.
  • Calculate the replication factor you need. Calculate the trade-offs and performance benefits of adding peers to your indexer clusters and index replication.

Deployment servers

  • Plan a deployment to make sure that the OS and Splunk software versions on your deployment server and client are compatible. Also make sure the deployment server is on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head.
  • Manage the deployment server to provision deployment server resources and estimate how long it will take to download your apps to a set of clients.
  • Configure deployment clients to receive data from the deployment server. Use the forwarder management interface to manage the update process across all Splunk Enterprise instances.
  • Create a server class to map a group of deployment clients to one or more deployment apps to update the distribute configuration.

Next steps

These additional Splunk resources might help you understand and implement the guidance in this article: