Splunk Sizing Made Easy

Back in 2013, Mustafa wrote a post describing how to Estimate disk storage required for Splunk Index.

These calculations can sometimes get a bit complicated, so I created simple web-based Splunk storage sizing tool that implements Mustafa’s calculation in the background and puts a nice user interface on top of it. Check it out: http://splunk-sizing.appspot.com/

To use the tool, enter your storage requirements and the tool will estimate the storage required. Plus it can calculate the number of disks you would need per indexer, based on the type of RAID and size of disks you prefer. And it allows you to specify on which volume to store the hot/warm, cold and frozen buckets. E.g. you can store hot/warm buckets on fast RAID and the cold buckets on a cheaper storage.

Another nice feature is the generation of the index configuration file (indexes.conf). This updates in real-time: So all you need to do is set the configuration you want, and the example configuration file updated automatically. When you get a sizing configuration that looks like what you need, you can copy the browser URL string and share that with colleagues.

Of course, this cannot provide a 100% accurate prediction of storage requirements. E.g. at the moment it doesn’t consider disk space required for data model acceleration and doesn’t consider increased indexer CPU and IOPS requirements due to large number of searches. So, you should get the results carefully before buying hardware! However, this little tool should give you a good idea about your Splunk storage requirements.

I hope you like it and happy sizing!

----------------------------------------------------
Thanks!
Robert Fujara