Hi Team,
I have an infrastructure located globally multiple sites around 10 to 15 Sites which can be generated approximately 1 TB of log volume a day, I would need Splunk expertise suggestions on what architecture will suite for this use case, I have given below few options it would great someone give me inputs on this.
Options 1
1. Setup Heavy Forwarders on each location with Load balance
2. Setup of Indexer cluster and search head cluster at Main Datacenter
WAN Link speed 20-30 Mbps from each site
all location of Heavy Forwarders will get the data from individual local site devices and sent to main data center Index cluster peers nodes and Search head will configure to perform all search events and data visualizations by pulling data from main data center indexer cluster.
Option 2
1. Setup Heavy Forwarders on each locations with Load balance
2. Setup Indexer Cluster on each location
3. Setup search head cluster at main data center
WAN Link speed 20-30 Mbps from each site
All location of heavy forwarders will get the data from individual local site devices and sent to individual data sites index cluster peer nodes and search head cluster at main data center configure to pull data from all the location index cluster and perform search operations and data visualization
Option 3
1. Setup Heavy Forwarders on each locations with Load balance
2. Setup Indexer Cluster at each location
3. Setup a single search head at each location
4. Setup Search head cluster at main data center
WAN Link speed 20-30 Mbps from each site
All location of heavy forwarders will get the data from individual local site devices and sent to individual data sites index cluster peer nodes and local search heads are configured to search events from there individual local sites, and Main data center search head cluster configure to have centralized dashboard from all search head data.
↧