This session led by Michael Donnelly will teach you how to take your Splunk deployment to the next level. Learn about Splunk high availability architectures with Splunk Search Head Clustering and Index Replication. Additionally, learn how to manage your deployment with Splunk’s operational and management controls to manage Splunk capacity and end user experience

1. Copyright © 2015 Splunk Inc.
Take Splunk to the Next Level:
Architecture

2. 2
Legal Notices
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either
to develop the features or functionality described or to include any such feature or functionality in a
future release.
2

3. 3
Splunk at the Next Level
Time to move beyond initial Splunk environment
• More use cases – how to tackle?
• More data – how do we scale?
• Splunk is mission critical == HA
• Global deployments
• Improving Splunk user experience Screenshot here

4. 4
Growing your Splunk Deployment
Many customers start with a single use case…
• Ex: Monitor the web servers
• Help ensure up-time & response times
• Track usage, errors
• Provides business value

5. 5
Growing your Splunk Deployment
Value statement for each overall service
Your services exist in a larger context than just one app, or one tier.
What is the value of the service as a whole?
What are CIO commitments for the service?
• The organization’s web site is one of the most critical parts of the business.
• Performance of the overall environment must be maintained at all times.
• Failures in any portion of the web site must be quickly identified, send
notification to the appropriate parties.
• Dependencies on external processes must be monitored as well.

6. 6
Growing your Splunk Deployment
The larger context
• Failure in one system cascades
• Map dependencies, estimate costs
• Use Splunk to track all dependencies.
• What happens when it is down?
Dependencies often include:
• Networking dependencies
• Shared storage
• Databases, middleware, custom apps
• Virtualization layer
Screenshot here

7. 7
Scales to Hundreds of TBs/Day
Enterprise-Class Scale, Resilience and Interoperability
Send data from thousands of servers using any combination of Splunk Forwarders
Auto load-balanced forwarding to Splunk Indexers
Offload search load to Splunk Search Heads

8. Visibility Across Datacenters
Distributed search unifies the view
across locations
Role-based access controls how far a given
user's search will span
New York Tokyo
London Cloud

9. 9
Product Roles
Searching and Reporting (Search Head)
Indexing and Search Services (Indexer)
Data Collection and Forwarding (Forwarder)
Indexer Cluster Master, SHC Deployer
Distributed Management / Deployment Server
License Master, Distributed Mgmt Console
Databases
Networks
Servers
Virtual
Machines
Smart
phones
and
Devices
Custom
Applications
Security
WebServer
Sensors

10. Copyright © 2015 Splunk Inc.
Forwarders

11. 11
Example Forwarding Tier
11

12. 12
Splunk Universal Forwarder
Why use the UF over other methods?
Collect syslog / event log / custom application logs
Collect configuration files, registry settings
Collect data NOT in log files: scripted inputs on current state
Collect wire data – Splunk Stream
Faster, Lower overhead than “agentless” polling
Centrally administered
… and

13. 13
Forwarder Load Balancing
Have UF balance across multiple indexers
Load Balance
– Multiple hosts in outputs
– DNS round robin
– LB not needed!
Geography-based routing
Optional SSL encryption
Compressed 10 to 1

14. 14
Deployment Server
Central management of Splunk Forwarders
Deployment Server manages Apps, Configs
Select one or more classes for each host
Class defines apps & configs
Works by phone-home
Notes:
DS does not push forwarder binaries
Use Cluster Master to manage indexers in cluster, not DS

15. 15
Forwarding Tier Design Best Practices
15
• Use a Syslog Server for Syslog data
• Deployment server (on a VM) for central management
• Let AutoLB distribute data across available indexers
• May need to increase UF throughput setting for high velocity sources
– Enable forceTimebasedAutoLB (for more even distribution)
– maxKBps (to adjust throttling)
Questions?

16. Copyright © 2015 Splunk Inc.
Indexers

17. 17
Indexers
Dedicated indexers serve three primary roles:
Data Storage
Processing and parsing at index-time
Indexing
Data Management
Hot / warm / cold data rotation
Aging and removal
Data Retrieval
Perform search upon request, return data to search heads

18. 18
Scaling - Indexers
Sizing for index performance
Indexers are usually storage-bound
Indexers: 150 to 250 GB per day, each. (With reference HW.)
Ref HW: 12 cores (2 GHz+), 12 GB RAM, 800+ IOPs
Optimal HW (normal disk): 16 CPU cores, 48 GB RAM
Optimal HW (SSD): 24 CPU cores, 132 GB RAM
Questions?

19. 19
Tiered Storage
• Splunk supports tiered storage
• Hot / Warm buckets – put on fastest disk
• Size Hot/Warm for normal saved search durations. (7d, 30d)
• Use slower / cheaper storage (NAS?) for long term access
• Optional: Use Frozen to roll data to glacier, Hadoop, etc.

20. 20
SSD Advantage
http://blogs.splunk.com/2012/05/10/quantifying-the-benefits-of-
splunk-with-ssds/
• Low cost random seeks
• Writes are not that much faster – no great improvement with Indexing
• Significant improvements with Sparse/needle-haystack searches
• Dense searches become CPU bound
• Searches run faster allowing for more completed searches/min
• Use Enterprise-grade SSDs, not commercial-grade.

21. 21
Scaling - Storage
Manual storage calculation
Raw data rate  net compression of ~ 50% on disk.
Simple: rate * compression * retention / #indexers
Hot / warm requirements
– 200 GB / day * 50% * 30 days = 3TB per indexer
Cold storage requirements
– 200 GB / day * 50% * 335 days = 33.5TB per indexer
Clustering
– Changes storage story completely

22. 22
Scaling - Storage
One example of good local storage
A well configured indexer using local storage might look like:
• SSDs in RAID 5, sized for 14 days of storage
• SATA drives in RAID 5, sized for 6 months of storage
SSDs: RAID 5 provides decent performance
Spinning disks:
• Hot/Warm, RAID 1+0, 800 IOPS or faster
• Cold – RAID 5 with proper block / stripe sizing

23. 23
Scaling - Storage
Sizing Calculator: http://splunk-sizing.appspot.com/

24. Copyright © 2015 Splunk Inc.
Indexer Clustering

25. 25
Delivers Mission-Critical Availability
• Data replication – maintain
searchability even if servers
go down
• Multi-site capable –
maintain searchability even
if a site goes down
• Search Affinity – optimized
searches by fetching from
the closest/fastest location
REPLICATION
Portland
Datacenter
New York
Datacenter
Clustering

26. 26
Indexer Clustering
High-Availability, Out of the Box
Splunk indexer clustering
Active-Active= better performance
Specific terms:
– Master Node / Master Cluster Node
– Peer Node
– Search Factor
– Replication Factor
Additional details: Splunk Docs, Distributed Deployment Manual

27. 27
Cross-site Clustering
Search Affinity by location
“Search locally”, “Store Globally”
DR scenarios

28. 28
How Clustering Affects Sizing
• Increased storage:
– 15% of raw usage for every replica copy
– 35% MORE to make that searchable
• Increased processing
– Incoming data to indexer is streamed to indexing peers to satisfy required
number of copies
• More hosts
– Need “replication factor” + 2 (search head, cluster master)
2

29. 29
Scaling - Storage
Sizing Calculator: http://splunk-sizing.appspot.com/

30. 30
Downsides of Indexer Clustering
• Increased Storage
• Cluster master is required – use a VM.
• Increased bandwidth
Questions?
3

31. Copyright © 2015 Splunk Inc.
Search Heads

32. 32
Scaling the Search Heads
Splunk Search is critical, too!
Scaling your search heads
Scale to handle # of concurrent queries
Dedicated Search heads for certain apps, scheduled alerts
Remember – Search heads virtualize well!

33. Copyright © 2015 Splunk Inc.
Search Head Clustering

34. 34
SHP vs SHC
Search Head Clustering
Seach Head Pooling
• Available since v4.2
• Sharing configurations through NFS
• Single point of failure
• Performance issues
• No shared storage requirement
• Replication using local storage
• Commodity hardware
• OSes: Linux or Solaris
NFS

35. 35
Search Head Clustering
1. Group search heads into a cluster
2. A captain gets elected dynamically
3. User created reports/dashboards automatically replicated
to other search heads

36. 36
Search Head Clustering

37. 37
Search Tier Design Best Practices
37
• Minimum 3 nodes required
• ES will still require a Separate Search Head or dedicated SHC
• Use LDAP/AD/SSO for user Authentication
• Load Balancer configured for sticky sessions
• Must use deployer to push apps to search heads
• Confirm your applications’ support for SHC!
Questions?

38. 38
Search Head Clustering
Use “Captain” instead of “Master” to avoid confusion with Index-
Clustering
Minimum 3 nodes required.
Cluster takes certain key decisions based on *majority* (consensus)
In multi-site setup have more nodes in main datacenter

39. Copyright © 2015 Splunk Inc.
The Final Stretch

40. 40
Load Balancer
Search Head Cluster, Deployer
Clustered Peer Node + Cluster master
Deployment server
Universal Forwarders on Servers
Syslog, NetFlow data
HFs for scheduled polling via API
40

41. 41
Hybrid Approach for rollout
41
• Add the existing Splunk
instance as a search peer
until the data retention
period has expired
• Disable scheduled searches
on the old instance
• Migrate any Summary Index
data to new Indexers

42. 42
Distributed Management Console
Manage Splunk 6.2 environments
Replaces Deployment Monitor App
Incorporates SOS app prior to 6.2

43. 43
Cloud & Hybrid
Scale without waiting for hardware

44. 44
Suggested Reading
• Distributed Deployment Manual
– http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverv
iew
• Highlights
– Reference hardware specs
– How searches affect performance
 Dense / Rare / Sparse
– App considerations
– Summary table
4

45. 45
Top 5 things to Remember
45
• Indexers: Storage requirements, IOPS, RAID config
• Indexer clustering: HA, DR, and site affinity!
• SHC: Minimum buy-in for a SHC is 3
• When in doubt – add another Indexer
• Excellent VM candidates:
– Master Cluster Node (Indexer clustering)
– Deployer (Search head clustering)
– Deployment Server (Central Forwarder management)
– License Master
– Distributed Management Console

46. Thank You