Splunk POD core concepts

Splunk POD integrates Cisco UCS hardware with containerized Splunk software to create a resilient, automated environment.

How Splunk POD works

Splunk POD uses the Splunk Operator for Kubernetes (SOK) to deploy Splunk Enterprise on a Kubernetes cluster. Three software layers run on pre-validated Cisco UCS servers:

  • Kubernetes: The container orchestration platform.
  • Splunk Operator for Kubernetes (SOK): Automates Splunk Enterprise deployments.
  • Splunk Enterprise: The containerized software platform, including search heads, indexers, and management components.

Dedicated UCS servers provide high-performance resources. Choose from three sizing options based on ingest volume requirements: small, medium, or large. For more information about sizing and components, see Splunk POD architecture.

Kubernetes Installer for Splunk POD

The Kubernetes Installer deploys the environment using a single ELF binary that contains all necessary components and OCI images. The installer automates the installation and management of the entire stack based on a static cluster configuration file (cluster-config.yaml). For installation instructions, see Deploy Splunk POD.

Scheduling and resiliency

Splunk POD uses Kubernetes scheduling to ensure performance and fault tolerance. The installer applies placement rules as soft constraints during pod assignment to provide flexibility during node failures or hardware changes.

Placement Rules:

  • Strict Separation (protected components): Prevents resource contention and ensures high availability by not co-locating pods of the same type on a single host. This creates dedicated servers for indexers, search heads, and storage.
  • Flexible Placement (management components): Allows management components (cluster manager, license manager, deployer, and monitoring console) to co-locate with other pods if resources allow.

For more information on node types and hardware, see Splunk POD architecture.

Tiered storage (SmartStore)

Splunk POD implements a tiered storage framework that balances search performance and long-term data retention. Splunk SmartStore manages the movement of data between two layers:

  • Local cache: High-performance storage on indexer nodes for hot and warm data.
  • Object store (SeaweedFS): S3-compliant storage within the Kubernetes cluster that replicates data for resiliency.

This design separates the storage and compute tiers to prevent I/O contention. For details on the storage framework, see Splunk POD architecture.

Validated architectures

Splunk POD uses Splunk Validated Architectures (SVA) to ensure the environment meets established performance and reliability standards. This alignment provides a predictable environment based on Splunk best practices for enterprise scale. For more information, see Splunk Validated Architectures (SVA).