High-performance Splunk onEMC Scale-Out Storage,Cisco USC and VMware

Jonas Roslandjonas.rosland@emc.com@virtualswede

Solutions Architect, EMC Office of the CTO

Co-sponsored by Intel®

Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.

What is Splunk?

Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Engine for Collecting, Indexing, Analyzing, and Visualizing: Machine Data Logs Application Queues Records (Billing, Call Detail, Events) Click Streams Performance Metrics Packet Data

What is Splunk?

Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Better understanding of your environment to drive decisions

Search and Visualization Tools analyze data(Question Focused Data Set)

Automated Reporting

Why use Splunk?

Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Splunk indexers receive data from various sources

Those indexes are then searchable

For increased performance and scalability multiple Indexers can be deployed

A Search Head searches through all servers for specific data in an index

Clients connect to a Search Head for searching

How do you leverage Splunk?

Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Why Cisco together with EMC and VMware for Splunk?

Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Indexes are divided into different pieces: Hot – Newly indexed data, open for writing, searchable Warm – Data rolled from hot, searchable Cold – Data rolled from warm, searchable Frozen – Data rolled from cold, unsearchable, usually deleted or

archived Thawed – Restored Frozen data, searchable

Splunk handles ILM well

Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Indexes are divided into different storage solutions: Hot & Warm – Put on Cisco UCS servers with EMC ScaleIO, seen as

”Hot Edge” in 3rd platform, usually up to 10 – 100 TB. Cold, Frozen & Thawed – Put on EMC Isilon, seen as ”Cold Core”, for

longer keeping of data, up to PBs or EBs, up to you!

Customers will benefit from Splunk’s ILM

Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Example deployment of Splunk with Cisco UCS, EMC ScaleIO and Isilon

Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.

As indexes are divided into different storage solutions, so are the performance and cost tiers

Scale-out storage architectures gives more control over the collected data without sacrificing the simplicity of Splunk

SPOF in Splunk are minimized as storage is spread over multiple nodes instead of standard DAS deployments

Storage teams can be given control over Splunk storage, server/Splunk admins need not to worry anymore (also called going home at 5PM)

Customer benefits of this solution

Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Splunk is usually deployed on bare metal servers

Customers can benefit from consolidating these into virtual servers

Customers just need to make sure that they set the virtual hardware to be properly sized for their Splunk environment

With VMware, we also remove a large Splunk SPOF which is the bare metal server itself

Benefits of using VMware for Splunk

Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Whitepaper: https://community.emc.com/docs/DOC-34096

Performance metrics: http://purevirtual.eu/2014/01/28/splunk-on-vmware-and-emc-scaleio

-a-quick-index-performance-test/

Documentation available!

Questions and/or comments?

Send them to:

Jonas Roslandjonas.rosland@emc.com@virtualswede

Thank you.

Co-sponsored by Intel®