Hello!
I have a small distributed deployment consisting of 2 search heads (16 cores each) and 2 indexers (24 cores each). There are about 900 saved searches to govern critical alerting with the addition of dashboards containing 50 indicators that refresh every 5 minutes when users are connected. The indexers from south side need to index near realtime data while up north they're serving the alerts and end users. I have an accelerated data model and a "master" saved search that updates every 5 minutes. My questions:
- How many searches can the deployment handle in parallel? My assumption is 48 since the indexer is responsible for running the searches.
- Since hundreds of the alerts call scripts to carry out actions and these scripts generate logs which themselves are indexed by Splunk, would it be better for those scripts and logs to be located on the indexers or search heads? I know it would be better to have a separate box for that, but at this point it's not possible...
- Is the snapshot for the "master" saved search stored on the search heads? Assuming yes, when the alerts and dashboards that are based on it run, does this in some way affect the indexers?
Thanks in advance for any input!
Regards,
Andrew
↧