This is our environment
6 Splunk servers
1) splunk01 – Ad HOC Search head used for standalone searches
47.14 GB Physical Memory, 10 CPU Cores
2) splunk02 – Enterprise Security Search Head has Enterprise Security app installed on it.
125.75 GB Physical Memory, 24 CPU Cores
3) splunk03 – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
4) splunk04 – Syslog plus Indexer server
62.75 GB Physical Memory, 24 CPU Cores
Below two Splunk servers are on a host that has several other VMs hosted on it.
5) splunk05 – License Master plus Indexer cluster master
7.64 GB Physical Memory, 4 CPU Cores
6) splunk06 – Deployment Server
3.7 GB Physical Memory, 2 CPU Cores
Question:
We have Cisco IPS data coming through estreamer into Splunk ES search head which in turn forwards to indexers. And we also have data from firewalls with SFIMS header coming into indexers does this mean we have a duplication of data problem?
↧