Making a hardware selection

After reviewing the dizzying array of specifications and performance considerations presented thus far, you may be thinking, "I just want to select the right hardware and get on with it!" So, let's narrow this down to the significant criteria that will influence your options the most for an initial deployment, make some decisions, and finalize a hardware shopping list based on the following assumptions:

• You are going to build a distributed, clustered Splunk Enterprise solution.
• You are going to deploy at least a three-search head cluster (the minimum number recommended to implement an SH cluster)—this will accommodate up to 100+ users and concurrent searches based on a rule of thumb of 20-40 concurrent search jobs per member, depending on the number of CPU cores.
• You are going to deploy enough indexers to accommodate the anticipated ingestion volume, rounded up to some increment of roughly 250 GB/day, which is the rule of thumb ingestion capability of a typical indexer; this assumption may need to be modified by your disk subsystem options – see as follows.
• You will use the Splunk reference server specifications as a guide for selecting from the hardware options available to you for search heads and indexers.
• You will use the search head reference server specifications for the various other Splunk components—license master, deployer, cluster master, and deployment server.
• Depending on the size of your deployment, you may be able to combine some of the supporting Splunk components onto one machine—the license master with the cluster master; the cluster master can also host the monitoring console, which we'll discuss in a later chapter.

The only decision factor remaining is to determine the number of indexers, which will depend on the ingestion volume, replication factor, search factor, data retention periods, and your available disk subsystem size options. Let's do that now.