Hi all,
We're starting to ramp up our usage of Splunk with a lot of extra data, eventually adding Enterprise Security, and people on other teams are starting to get into Splunk, requesting forwarder installation and configurations to pull in data relevant to their work, creating dashboards, etc. We have a ton of real-time searches that are used as alerting for a few different applications and I can only see more in the future.
We have 1 SH (4x CPU, 8 gigs RAM), 2 Indexers, 1 heavy forwarder, and 1 cluster manager, all VMs. IO and search times are all in good ranges and nothing is slow, I am preparing for the future.
We can pump up the specs on the Search Head, or create a new Search Head. How do I decide which will work best? Another SH seems like it might add complexity, but is there a threshold where boosting SH stats will not really help performance?
↧