Hello,
We're looking at expanding our Splunk capabilities, and I'd like some additional input on the question of doing a high core single search head vs a search head cluster.
Our environment experiences a lower number of concurrent users (between 5 and 15), however, we can hit very large number of concurrent searches ( > 30). We were either going to go with a Search Head Cluster or a very large VM. Disregarding the HA factor (since we'd be able to handle this issue regardless of a SH cluster or single instance, though I know the cluster is the Splunk SH "HA").
Would a SH Cluster of 3 devices with 16 cores at 16 GB of RAM a piece have any significant advantages over a 48 core, 48 GB RAM device in terms of performance? Our current view of the SH Cluster vs Single Search Head is management of Apps and Settings is much easier done on a single device (as the SH deployer in 6.3 we're currently using seems to be quirky about items such as scripted inputs), so essentially I'm trying to gather information on whether any performance benefits may outweigh the current management concerns.
↧