Splunk POD architecture
Architectural components of the Kubernetes-based Splunk POD environment, including sizing tiers, node types, storage framework, and hardware specifications.
Review the key architectural elements of a Splunk POD deployment, including sizing options, node types, storage framework, and hardware specifications, all of which align with Splunk Validated Architecture (SVA) standards.
Splunk POD sizing options
Splunk POD offers 3 sizing options to accommodate the data ingest requirements of different size organizations.
| Size | Max Ingest | Use Case | Hardware Profile |
|---|---|---|---|
| Small | 500 GB/day | Department / Small Enterprise | 12–13 nodes |
| Medium | 1 TB/day | Mid-size Enterprise | 15 or 18 nodes (ES) |
| Large | 2.5 TB/day | Large Enterprise | 19 or 22 nodes (ES) |
POD small uses the SVA C1 profile. POD medium and POD large use the SVA C3 profile.
Component overview
The Splunk Operator for Kubernetes (SOK) manages components within the cluster across three main node types:
| Node Type | Description |
|---|---|
| Bastion node | A single node external to the cluster that hosts the Kubernetes Installer and serves as the primary interface for cluster operations. |
| Controller nodes | Three dedicated nodes that host the Kubernetes control plane for orchestration and high availability. |
| Worker nodes | Nodes that handle primary workloads, including Splunk Enterprise components (search heads, cluster manager, license manager, deployer, and monitoring console), Enterprise Security (ES) instances, volume servers (SeaweedFS), and load balancers. |
Storage framework
SeaweedFS provides internal, S3-compliant object storage for SmartStore and the SOK app framework within the Kubernetes cluster.
Key features and resiliency
- Storage isolation: The SeaweedFS object store remains separate from Splunk local storage (on indexers) to prevent resource contention.
- Data replication: The system stores three replicas of every object to ensure data availability.
- Fault tolerance: The storage layer remains operational during the simultaneous loss of two SeaweedFS nodes.
- Self-healing: The system automatically rebalances data when nodes rejoin the cluster.
SeaweedFS service components
SeaweedFS operates through a coordinated set of pods within the cluster:
- 3 manager pods: Coordinate volume management and metadata.
- 3+ filer pods: Handle file operations and provide the S3 API interface.
- Volume pods: One volume pod runs on each SeaweedFS storage node to store and manage physical data.
Storage Mapping
- SmartStore: All warm and cold buckets reside internally in SeaweedFS.
- App framework: The system stores app framework packages in SeaweedFS for distribution across the cluster.
- Access control: SOK manages SeaweedFS directly with no direct customer access to the internal storage layer.
Hardware specifications
| Cisco Server Model | CPU Cores | RAM | Node role (primary use case) |
|---|---|---|---|
| UCS C225 M8S | 24 cores | 25 GB | Bastion, Controllers, Search Heads |
| UCS C245 M8SX | 32 cores | 256 GB | Indexer nodes |
| UCS C245 M8SX | 32 cores | 128 GB | Volume nodes |
Component resource allocation (software limits)
SOK enforces these resource constraints per pod:
| Pod Type | CPU Cores | Memory (RAM) |
|---|---|---|
| Indexer Pod | 36 cores | 96 GB |
| Search Head Pod | 24 cores | 96 GB |
Detailed sizing profiles
Profiles include 2x Nexus N9K-C9336C-FX2 switches for rack networking.
POD Small
| Profile name | pod-small |
| Max Ingest | 500 GB/day |
| Splunk Topology | 1 Standalone SH, 3 Clustered IDX, 1 CM, 1 LM |
| Total Nodes | 12 Nodes |
| C225 Servers | 5 (3 Ctrl, 1 SH, 1 Bastion) |
| C245 Servers | 7 (3 Indexer @ 77 TB, 4 Volume @ 367 TB) |
POD Small with ES
| Profile name | pod-small |
| Max Ingest | 500 GB/day |
| Splunk Topology | 2 Standalone SH (1 for ES), 3 Clustered IDX, 1 CM, 1 LM |
| Total Nodes | 13 Nodes |
| C225 Servers | 6 (3 Ctrl, 2 SH, 1 Bastion) |
| C245 Servers | 7 (3 Indexer @ 77 TB, 4 Volume @ 367 TB) |
POD Medium
| Profile name | pod-medium |
| Max Ingest | 1 TB/day |
| Splunk Topology | 3 Clustered SH, 4 Clustered IDX, 1 CM, 1 LM, 1 SHC Deployer |
| Total Nodes | 15 Nodes |
| C225 Servers | 7 (3 Ctrl, 3 SH, 1 Bastion) |
| C245 Servers | 8 (4 Indexer @ 77 TB, 4 Volume @ 367 TB) |
POD Medium with ES
| Profile name | pod-medium |
| Max Ingest | 1 TB/day |
| Splunk Topology | 3 Clustered SH, 3 Clustered SH (ES), 4 Clustered IDX, 1 CM, 1 LM, 2 SHC Deployers |
| Total Nodes | 18 Nodes |
| C225 Servers | 10 (3 Ctrl, 6 SH, 1 Bastion) |
| C245 Servers | 8 (4 Indexer @ 77 TB, 4 Volume @ 367 TB) |
POD Large
| Profile name | pod-large |
| Max Ingest | 2.5 TB/day |
| Splunk Topology | 3 Clustered SH, 7 Clustered IDX, 1 CM, 1 LM, 1 SHC Deployer |
| Total Nodes | 19 Nodes |
| C225 Servers | 7 (3 Ctrl, 3 SH, 1 Bastion) |
| C245 Servers | 12 (7 Indexer @ 77 TB, 5 Volume @ 367 TB) |
POD Large with ES
| Profile name | pod-large |
| Max Ingest | 2.5 TB/day |
| Splunk Topology | 3 Clustered SH, 3 Clustered SH (ES), 7 Clustered IDX, 1 CM, 1 LM, 2 SHC Deployers |
| Total Nodes | 22 Nodes |
| C225 Servers | 10 (3 Ctrl, 6 SH, 1 Bastion) |
| C245 Servers | 12 (7 Indexer @ 77 TB, 5 Volume @ 367 TB) |