http://blogs.splunk.com/thewilde/2008/06/24/splunk-ninja-inside-the-cloud/

Architecture matters — big time (well depending on how much data you have). When Splunk stores data we organize it by time. on 32-bit systems, the size of time bucket we can go to is about 200MB per bucket vs. on a 64-bit system, the buckets can be up to 10GB. 64-bit can handle so much more when reading. If you have a huge amount of data over some determinate amount of time on a 32-bit system, we’re gonna have to open a boatload of files to find your data vs on a 64-bit which we wont.

Indexing = CPU intensive operation. Splunk will only open 1 thread by default for indexing, but can be configured to consume more threads and memory depending on your data rate. First non-founding employee Brian Murphy has a great video on perf which i refer to alot. http://www.splunk.com/article/2183

Search - Architecture matters here as I mentioned above, but so does Disk I/O. I have found that AWS is actually better than VMWare when it comes to Disk I/O (but not by much). Wanna make a Splunk win on Expert in Guitar Hero, give it RAIDed 15k RPM SAS drives, as search is a disk intensive activity. I have a Penguin Relion dual quad-core’s running at 3ghz, 16GB RAM and those fast disks I just mentioned — i should be able to get about 300GB per day indexing rate.

Personally, I haven’t done any scientific level benchmarking on AWS yet–our dev group is starting a QA project on EC2 (which i love!). To benchmark disk I/O use the Bonnie++ tool (or just do some heavy duty GZIPing to see max thruput on the most intensive disk operations). To benchmark indexing, use the techniques in Brian Murphy’s video.

@Carl & @Ilya - Persistent storage is a problem so far on EC2, what i have done in some instances is use PersistentFS which is a FUSE based filesystem that lets you mount S3 and through a syncing process, files are copied to and from S3. I have used it for backup, and could use it for an archive in the “coldToFrozen” roll (see docs). You don’t want to have Splunk index/search data on that type of volume–not sure if it’ll even work because we do have FS-specific locking code we use — but nonetheless speed would by way slow.

Kord, thanks for addressing the questions!

Michael, thanks for the video reply. Didn’t know about transactions and have to agree, that is incredibly powerful. I’ve added your reply at the bottom of the post.

Carl, those are great questions, I’ll defer to Michael / Kord to give us the answers (pinged them). Having said that, for the S3 mirror, Splunk does not do this natively, but it wouldn’t be a hard thing to setup.

1. What kind of EC2 machine is recommended for Splunk? An XL seems to be overkill for something like this. How far will a small get me?

2. Are the logs mirrored on S3 automatically, or they’re simply kept on the local disk (ie: /mnt)

3. How many logging entries per second can I expect? Has it been benchmarked?

Thanks! Great article!