Making a design decision

By now, you should be fairly convinced that unless you are planning a small Splunk Enterprise deployment on a single stand-alone server, or perhaps several stand-alone indexers for point-solutions with a single search head to search across all of them, you will need to design a distributed, clustered environment that provides higher reliability and scalability. 

Remember that a distributed/clustered Splunk environment can be scaled as needed by adding additional indexers and/or search heads, and you should assume that there is going to be some amount of growth over time; you may also find that your ingestion volume shortly after initial turn-up exceeds the volumes your business units tell you about, and the peak concurrent number of ad hoc and scheduled searches may exceed initial expectations as well. However, you can build a conservatively sized initial deployment with this possibility in mind, so don't worry too much about trying to get an exact assessment.

Depending on the findings from your poll of the user community, it may be a good idea to design an initial Splunk deployment that is quite a bit larger than your ingestion volume calculations—500 GB or even 1 TB/day of ingestion volume, for example—and let your usage grow into this solution. You can then monitor ingestion volumes and concurrent search counts and add indexers and search heads if and when needed as you gain a better feel for the particular needs of your business environment.

In the next section, we will cover how to select the appropriate hardware and disk-sizing options to accommodate your Splunk deployment, based on the decisions you have made so far.