Admin Guide 9.0.4 Flashcards
Best practice for optimal performance - dedicated machines
Adding more physical machines dedicated to Splunk Enterprise translates into better performance than having more resources in a single machine.
Where possible, split up your indexing and searching activities across a number of machines, and only run one Splunk Enterprise component on each machine.
Performance is reduced when you run Splunk Enterprise on machines that share resources with other services.
Best practice for optimal performance - antivirus
If you use anti-virus programs on the servers running Splunk Enterprise, make sure that all Splunk software directories and programs are excluded from on-access file scans.
Best practice for optimal performance - indexes
Use multiple indexes, where possible.
Sending all data to one index can cause I/O bottlenecks on your system and complicate retention calculations and access controls
Best practice for optimal performance - disk/volume considerations
Don’t store your indexes on the same physical disk or volume as the operating system.
The disk that holds your operating system or its swap file is not a recommended place for Splunk Enterprise data storage.
Put your indexes on other disks or volumes mounted on the machine
Best practice for optimal performance - buckets location
Don’t store the hot and warm buckets of your indexes on network volumes
Always use fast, local disk for the index hot and warm buckets.
You can specify network shares for the cold and frozen buckets of an index using Distributed File System (DFS) volumes or Network File System (NFS) mounts.
Best practice for optimal performance - minimal disk space
The volume or mount that contains your indexes must have approximately 5 gigabytes of free disk space by default, or indexing will stop.
Splunk web default port
8000
http://localhost:8000
http://<hostname>:8000</hostname>
Configuration files
These files are located under your Splunk installation directory (usually referred to in the documentation as $SPLUNK_HOME) under /etc/system.
preferred Splunk Enterprise component to integrate into a Windows system image
universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost.
You can also modify the forwarder’s configuration using the deployment server or an enterprise-wide configuration manager with no need to use Splunk Web to make changes.
access Splunk Free from a remote browser
You cannot access Splunk Free from a remote browser until you have edited $SPLUNK_HOME/etc/local/server.conf and set allowRemoteLogin to Always.
