From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Running Splunk on a Virtual Machine

When running Splunk on a Virtual Machine, there are additional factors which need to considered. This topic discusses:

  • Raw device mapping
  • Hardware capacity

Before proceeding, you should have already read the Best Practices topic on "Hardware Tuning Factors", which contains our general hardware recommendations.

Raw Device Mapping

Raw Device Mapping (RDM) is a technique by which a raw Logical Unit Number (LUN), local or remote, can be aliased to a VMDK file on a VMFS partition. The net effect is direct access to the LUN being aliased. Think of this as literally creating a symlink on a VMFS filesystem that points to raw storage.

RDM can deliver sequential read and write benefits that include slightly greater IOps, lower overhead, and also benefits when working with block sizes smaller than 32kb.

For indexing volumes < 25 GB per day, indexing to VMDK should function well For indexing volumes > 25 GB per day, RDM should be used.

Hardware Counts

Using the proper amount of physical hardware is very important. The virtual machine will create additional overhead that may require 30% more hardware capacity. Following our "Bare metal" guidelines plus 30% is the suggested method. For example, if the guidelines suggest 8 GB of memory in addition to 4 cpu cores, then you should run Splunk on raw hardware that is at least this size.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk