The documentation for both of the VM families should be reviewed via the links above to fully understand the VM characteristics prior to implementing Splunk Enterprise in production to ensure you select the most appropriate SKU to meet your performance and availability requirements.Īs a general guide, the Ls_v2 family is appropriate if your Splunk search profile is mostly storage-bound. This makes the Dds_v4 family the preferred option where data durability is the overriding priority. However, the Premium Managed Disks storage will not offer the same high IOPS or ultra low latency as the locally attached NVMe disks with the Ls_v2 family. If managed disks are attached for Splunk hot/warm and cold storage, these can offer better data durability in the case of a platform-initiated redeployment of the VM due to a failure. The Dds_v4 family is the latest general-purpose Azure VM family offering well priced compute for general purpose workloads. The replication of data across three Availability Zones provides data durability, however simultaneous failures across all Availability Zones could theoretically result in permanent data loss. As these are locally attached ephemeral disks, data will be lost if you de-allocate your VMs or there is a platform-initiated redeployment of the VM to an alternative host in the event of a failure. This makes the Ls_v2 family the preferred option where storage performance is paramount. The Ls_v2 family features very high throughput, low latency, directly mapped local NVMe storage which is ideally suited to Splunk hot/warm storage disks due to the high IOPS and throughput. The characteristics of these VM types are summarized below: This reference architecture recommends two VM families for Indexers, the general-purpose Dds_v4 family or the storage-optimized Ls_v2 family. This ensures that each Availability Zone contains a searchable copy of all indexed data. It is also recommended to assign each Indexers site according to Availability Zone of the Indexer VM, for more information on Splunk's site concept please refer to Splunk's documentation. It is recommended to set both Indexer Replication Factor and Search Factor to at least 3, with one copy per site. It is recommended to deploy Splunk Indexer Clusters across 3 Availability Zones for maximum availability, providing a financially backed SLA of 99.99% uptime of the Indexer cluster. The Cluster Master manages configuration for the Indexers and also manages replication of data between clustered nodes and sites to ensure that the number of copies of data in the cluster meets the search and replication factors. The Cluster Master is the Splunk Enterprise instance that manages an Indexer Cluster. Splunk Indexer Virtual Machines (VMs) can be deployed as an Indexer Cluster to enable horizontal scalability and high availability of the Indexer component. The Indexer also performs searches against indexed data in response to search requests. Indexers & Cluster MasterĪn Indexer is the Splunk Enterprise component that indexes data transforms raw data into events and writes them to disk. Core Splunk Enterprise components include Indexers, and Cluster Master, Search Heads and Search Head Deployer, Monitoring Console and License Master. This section describes the core Splunk Enterprise components and relevant Azure-specific guidance including recommended VM families.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |