We currently use a single SPLUNK Enterprise server that runs on a single virtual machine on ESXi. This instance is both our search and index device. It has been running quite solidly for a while now, but we are looking at a way to effectively provide DR/HA as this will likely become our SIEM in the long term. The single instance has SSD disk and has 8 vCPU dedicated to the machine (CPU's are Intel with a clock speed of 3.4Ghz).
Every time I look at redesigning this server for DR, I end up with a design that will cost a small fortune in just the hardware alone, especially taking into consideration this may become the primary SIEM over time. I need the server to be highly available as during a incident this becomes critical for us.
I would initially need 2 indexers (1 at each site) and potentially 1 or 2 search heads. However SPLUNK doco says that I must have a minimum search head cluster of 3. If I read the SPLUNK doco right and I buy say a 2 x 12 core ESXi hosts with dedicated vCPU, this alone means that I would need to purchase 4 or 5 hosts to manage this load.
This is not a financially viable option. Another thought might be to just have a single search head (not clusterd) with 2 indexers (an indexer and search head on 1 ESXi host) and then have another indexer on the DR host. This would be 2 hosts rather than 5. I could in theory then just use ESXi replication for the search head (and avoid the SRM costs and infrastructure). Would this be a viable alternative?
The amount of data we currently ingest is around 30GB, but this will ramp up quite quickly. Over time I also need to make consideration for expansion/growth. We are looking at cloud, but at the moment the focus is just on an on-premise model.
Thoughts? Appreciate any responses.
↧