Splunk POD architecture

Architectural components of the Kubernetes-based Splunk POD environment, including sizing tiers, node types, storage framework, and hardware specifications.

Review the key architectural elements of a Splunk POD deployment, including sizing options, node types, storage framework, and hardware specifications, all of which align with Splunk Validated Architecture (SVA) standards.

Splunk POD sizing options

Splunk POD offers 4 sizing options to accommodate the data ingest requirements of different size organizations.

Size Max Ingest Use Case Hardware Profile (nodes)
Small 500 GB/day Department / Small Enterprise 12 or 13 (with ES or ITSI)
Medium 1 TB/day Mid-size Enterprise 15 or 18 (with ES or ITSI)
Large 2.5 TB/day Large Enterprise 19 or 22 (with ES or ITSI)
X-Large 10 TB/day Large Enterprise 34 or 37 (with ES or ITSI)

For detailed information on Splunk POD sizing options, see Detailed sizing profiles.

For more information on Splunk POD components, see the Splunk POD CVD.

Storage framework

SeaweedFS provides S3-compliant object storage for SmartStore and the SOK app framework within the Kubernetes cluster.

Key features and resiliency

  • Storage isolation: Separates object storage and local storage (on indexers) to prevent resource contention.
  • Data replication: Stores 3 replicas of every object for high availability.
  • Fault tolerance: Withstands simultaneous failure of 2 SeaweedFS nodes.
  • Self-healing: Automatically rebalances data when nodes rejoin the cluster.

SeaweedFS service components

Component Description
3 manager pods Coordinate volume management and metadata.
3+ filer pods Handle file operations and provide the S3 API interface.
Volume pods One volume pod runs on each SeaweedFS node to store and manage physical data.

Storage Mapping

Component Description
SmartStore All warm and cold buckets reside internally in SeaweedFS.
App framework Stores app framework packages in SeaweedFS for distribution across the cluster.
Access control SOK manages SeaweedFS directly with no direct customer access to the internal storage layer.

For more information on SeaweedFS, see the Splunk POD CVD.

Hardware specifications

Cisco Server Model CPU Cores RAM Node role (primary use case)
UCS C225 M8S 16 cores 64 GB Bastion
UCS C225 M8S 8 cores 64 GB Controllers
UCS C225 M8S 24 cores 256 GB Search Head nodes
UCS C245 M8SX 32 cores 256 GB Indexer nodes
UCS C245 M8SX 32 cores 128 GB Volume nodes

For detailed hardware specifications, see the Splunk POD CVD.

Component resource allocation (software limits)

SOK enforces these resource constraints per pod:

Pod Type CPU Cores Memory (RAM)
Indexer Pod 36 cores 96 GB
Search Head Pod 24 cores 96 GB
Note: POD deployments that include Enterprise Security (ES) standalone search heads might require additional resources.

Detailed sizing profiles

POD Small

Profile name pod-small
Max Ingest 500 GB/day
Splunk Topology 1 Standalone SH, 3 Clustered IDX, 1 CM, 1 LM
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 12 Nodes
C225 Servers 5 (3 Ctrl, 1 SH, 1 Bastion)
C245 Servers 7 (3 Indexer @ 77 TB, 4 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD Small with ES or ITSI

Profile name pod-small
Max Ingest 500 GB/day
Splunk Topology 2 Standalone SH (1 for ES or ITSI), 3 Clustered IDX, 1 CM, 1 LM
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 13 Nodes
C225 Servers 6 (3 Ctrl, 2 SH, 1 Bastion)
C245 Servers 7 (3 Indexer @ 77 TB, 4 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD Medium

Profile name pod-medium
Max Ingest 1 TB/day
Splunk Topology 3 Clustered SH, 4 Clustered IDX, 1 CM, 1 LM, 1 SHC Deployer
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 15 Nodes
C225 Servers 7 (3 Ctrl, 3 SH, 1 Bastion)
C245 Servers 8 (4 Indexer @ 77 TB, 4 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD Medium with ES or ITSI

Profile name pod-medium
Max Ingest 1 TB/day
Splunk Topology 3 Clustered SH, 3 Clustered SH (ES or ITSI), 4 Clustered IDX, 1 CM, 1 LM, 2 SHC Deployers
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 18 Nodes
C225 Servers 10 (3 Ctrl, 6 SH, 1 Bastion)
C245 Servers 8 (4 Indexer @ 77 TB, 4 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD Large

Profile name pod-large
Max Ingest 2.5 TB/day
Splunk Topology 3 Clustered SH, 7 Clustered IDX, 1 CM, 1 LM, 1 SHC Deployer
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 19 Nodes
C225 Servers 7 (3 Ctrl, 3 SH, 1 Bastion)
C245 Servers 12 (7 Indexer @ 77 TB, 5 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD Large with ES or ITSI

Profile name pod-large
Max Ingest 2.5 TB/day
Splunk Topology 3 Clustered SH, 3 Clustered SH (ES or ITSI), 7 Clustered IDX, 1 CM, 1 LM, 2 SHC Deployers
Storage retention Hot data (local cache): 90 days; SmartStore: 1 year
Total Nodes 22 Nodes
C225 Servers 10 (3 Ctrl, 6 SH, 1 Bastion)
C245 Servers 12 (7 Indexer @ 77 TB, 5 Volume @ 367 TB)
Nexus switches 2 Nexus N9K-C9336C-FX2

POD X-Large

Profile name pod-xlarge
Max Ingest 10 TB/day
Splunk Topology 3 Clustered SH, 17 Clustered IDX, 1 CM, 1 LM, 1 SHC Deployer
Storage retention Hot data (local cache): 60 days; SmartStore: 180 days
Total Nodes 34 Nodes
C225 Servers 7 (3 Ctrl, 3 SH, 1 Bastion)
C245 Servers 27 (17 Indexer @ 77 TB, 10 Volume @ 367 TB)
Nexus switches 4 Nexus N9K-C9336C-FX2

POD X-Large with ES or ITSI

Profile name pod-xlarge
Max Ingest 10 TB/day
Splunk Topology 3 Clustered SH, 3 Clustered SH (ES or ITSI), 17 Clustered IDX, 1 CM, 1 LM, 2 SHC Deployers
Storage retention Hot data (local cache): 60 days; SmartStore: 180 days
Total Nodes 37 Nodes
C225 Servers 10 (3 Ctrl, 6 SH, 1 Bastion)
C245 Servers 27 (17 Indexer @ 77 TB, 10 Volume @ 367 TB)
Nexus switches 4 Nexus N9K-C9336C-FX2
For detailed information on Splunk POD sizing, components, and hardware specifications, see the Splunk POD CVD.