1
00:00:03,440 --> 00:00:12,530
The next step after calculating license size is to identify how many indexers are necessary for us.

2
00:00:12,550 --> 00:00:13,640
Splunk set up.

3
00:00:14,510 --> 00:00:19,090
Determine the number of indexes is a tricky one.

4
00:00:19,100 --> 00:00:27,020
If you go by documentation of Splunk official documentation, it says single indexer can handle up to

5
00:00:27,050 --> 00:00:29,270
300 GB per day.

6
00:00:30,740 --> 00:00:37,430
I think we all know what's the difference of statement in official documentation of any product and

7
00:00:37,430 --> 00:00:43,820
the actual scenarios that as a consultant or an end user you experience in the field.

8
00:00:44,120 --> 00:00:51,500
Based on my experience, it's good to have additional indexer for every 100 gigs of license.

9
00:00:51,530 --> 00:00:58,490
I've seen environments where one indexer is being choked to death really by.

10
00:00:59,380 --> 00:01:07,480
Just not able to handle 150 to 200 gigs data because it was bombarded with applications, a lot of premium

11
00:01:07,480 --> 00:01:08,440
apps and stuff.

12
00:01:08,830 --> 00:01:15,980
Consider the search loads on the indexer as per my own recommendation or my own experience.

13
00:01:16,000 --> 00:01:21,190
It's good to have one indexer for every hundred GB of data.

14
00:01:22,210 --> 00:01:23,200
For example.

15
00:01:23,200 --> 00:01:24,710
Less than 100 GB.

16
00:01:24,730 --> 00:01:25,930
One indexer.

17
00:01:27,130 --> 00:01:32,820
Should be enough, but greater than 100 and less than 200 or 250 GB.

18
00:01:32,860 --> 00:01:38,170
Go for two indexers and anything greater than 200 and less than 300.

19
00:01:38,740 --> 00:01:41,310
Go for three index and so on.

20
00:01:41,320 --> 00:01:42,700
Make sure you have that.

21
00:01:43,030 --> 00:01:47,880
This is a you have this in mind and this is just a rough estimate.

22
00:01:47,890 --> 00:01:49,600
There is no official recommendation.

23
00:01:49,600 --> 00:01:54,780
But trust me, when you when you go with this process, you will find it.

24
00:01:54,790 --> 00:01:58,420
Your Splunk and own performance will be optimum.

25
00:01:59,110 --> 00:02:06,250
When I say optimum, it responds to you faster rather than having 300 GB of data in a single indexer.

26
00:02:07,430 --> 00:02:08,300
Moving on.

27
00:02:08,480 --> 00:02:12,380
The next step is the remaining search acts.

28
00:02:12,500 --> 00:02:17,270
Calculate the number of searches depending on a number of different factors.

29
00:02:17,270 --> 00:02:21,470
The list varies, let's say, to list few of them.

30
00:02:23,630 --> 00:02:30,110
The number of searchers depends on number of active users, a number of alerts, reports that are scheduled

31
00:02:30,110 --> 00:02:35,690
or real time number of parallel searches, a number of codes available for the search.

32
00:02:36,650 --> 00:02:43,090
Considering these kind of factors, there won't be any clear answers at the beginning for you.

33
00:02:43,610 --> 00:02:49,250
You consider if you have more than eight users, go for additional searches.

34
00:02:49,250 --> 00:02:51,230
So let's say I have 15 users.

35
00:02:51,230 --> 00:02:52,970
I will go for two searches.

36
00:02:53,090 --> 00:02:55,730
I have 24 searches.

37
00:02:55,730 --> 00:02:58,610
I'll go for 324 users.

38
00:02:58,610 --> 00:03:00,280
I'll go for three searches.

39
00:03:00,590 --> 00:03:07,730
So on if less than eight users, one search should be more than sufficient.

40
00:03:07,730 --> 00:03:13,040
Or one more good thing about the search is you can add them any time you need.

41
00:03:13,040 --> 00:03:21,470
There is no need for any downtime or any impact for your existing Splunk environment even.

42
00:03:22,630 --> 00:03:23,830
The Indexer.

43
00:03:23,830 --> 00:03:28,540
Also, you can add to your Splunk environment at any point of time.

44
00:03:28,540 --> 00:03:33,250
There is no actual downtime or disruption in your environment.

45
00:03:34,420 --> 00:03:40,930
These are simple small configuration, which just kills up your environment to the next level.

46
00:03:42,380 --> 00:03:43,220
The surcharge.

47
00:03:43,220 --> 00:03:46,940
You can add them at any moment of time without any impact.

48
00:03:46,940 --> 00:03:53,690
But although I recommend to build a strong base from the beginning in terms of indexes, make sure you

49
00:03:53,690 --> 00:03:59,750
get the number of indexes right because surcharge, you can add indexes when you add a later say, the

50
00:03:59,750 --> 00:04:06,710
data will be shared between two indexes and the data storage will be inconsistent in one index.

51
00:04:06,710 --> 00:04:08,540
Or you might see 100 GB of data.

52
00:04:08,570 --> 00:04:14,780
In other indexes you can see ten GB of data to avoid these kind of data storage imbalance, it's better

53
00:04:14,780 --> 00:04:18,980
to build a strong base foundation for your indexes.

54
00:04:21,330 --> 00:04:28,890
The next step in designing the architecture is to evaluate the need for a V forwarders deployment service

55
00:04:28,920 --> 00:04:30,000
license manager.

56
00:04:30,480 --> 00:04:32,220
As we all know by now.

57
00:04:32,250 --> 00:04:35,430
These three components are optional components.

58
00:04:36,870 --> 00:04:40,110
We know what functionalities these components are used for.

59
00:04:40,110 --> 00:04:47,400
So as a Splunk architect, it will be your responsibility to choose whether to have this component and

60
00:04:47,400 --> 00:04:49,230
the architecture or not.