Embed Size (px)
Citation preview
Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Cisco HyperFlex Systems for Splunk EnterpriseImplement a private cloud-in-a-box solution for Splunk workloads.
Solution Overview
HighlightsCisco HyperFlex™ systems: This flexible, agile, efficient, and scalable next-generation hyperconverged platform is powered by the Cisco Unified Computing System™ (Cisco UCS®). It provides customers with unified fabric, unified management, and advanced monitoring capabilities. It also provides consistent and rapid deployment for out-of-the-box performance using service profiles.
Cisco HyperFlex HX Data Platform: This high-performance, flash-optimized distributed file system delivers a wide range of enterprise-class data management and optimization services without compromising data management, storage efficiency, or latency.
Operational intelligence with Splunk Enterprise: Splunk software monitors and analyzes data from any source, including computing, storage, and networking activities; service health; firewall access; and customer click streams and call records. It turns machine-generated data into business insight.
Intelligent private cloud-in-a-box solution: For new applications and operational models, you need a solution that helps you scale capabilities as you need them. This solution simplifies scaling at precise levels for a scale-out design, enabling you to spend money only when you need to do so.
Powerful search, analysis, and visualization capabilities with Splunk Enterprise: Gain an easy, fast, and secure way to analyze massive streams of data generated by IT systems, security devices, and technical infrastructure.
Validated solutions: This solution is built to complement the widely deployed converged infrastructure solution Splunk on Cisco UCS Integrated Infrastructure for Big Data. The solution has been tested and validated for various virtual machine configurations with both synthetic and real-world IT operations workloads.
Cisco HyperFlex systems: Fast and flexible hyperconverged systemsEngineered on the Cisco Unified Computing System™ (Cisco UCS®), Cisco HyperFlex™ systems unlock the full potential of hyperconverged solutions to deliver the agility, scalability, security, and lifecycle management capabilities you need for operational simplicity. Cisco HyperFlex systems support the pay-as-you-grow economics of the cloud with the benefits of on-premises infrastructure.
2Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Cisco HyperFlex systems combine software-defined computing in the form of Cisco UCS servers, software-defined storage with powerful Cisco HyperFlex HX Data Platform software, and software-defined networking (SDN) with Cisco® unified fabric.
In Cisco HyperFlex systems, the data platform spans three or more Cisco HyperFlex HX-Series nodes to create a highly available cluster. Each node includes an HX Data Platform controller that implements the
scale-out and distributed file system using internal flash-based solid-state disks (SSDs) or a combination of flash-based SSDs to store data. The controllers communicate with each other over 40 Gigabit Ethernet to present a single pool of storage that spans the nodes in the cluster (Figure 1). Nodes access data through a data layer using file, block, object, and API plug-ins. As nodes are added, the cluster scales linearly to deliver computing, storage capacity, and I/O performance.
Figure 1 Cisco HyperFlex systems offer next-generation hyperconverged solutions with a set of features only Cisco can deliver
Network HDDCPU/Memory Network CPU/MemorySSD SSDNetwork CPU/Memory...
. . . . . .
Cisco HyperFlex HX-Series nodes
Device-independent HTML 5management interface
VMware vSpheremanagement plug-in
40-Gbps unified fabricCisco UCS 6300 SeriesFabric Interconnects
App AppAppAppApp AppAppApp
Cisco HyperFlex HX Data Platform
Your choice ofmanagement interfacesfor hardware and software
All-flash storage
Integrated network fabric
Designed to supportvirtualized environmentswith rapid scalability
NVMe Memory
Cisco HyperFlex HX Data Platform The unique data demands imposed by applications on virtual machines have resulted in many storage silos. A foundation of Cisco HyperFlex systems, the HX Data Platform (Figure 2) is a purpose-built, high-performance, log-structured, scale-out file system that is designed for hyperconverged environments.
The data platform’s innovations redefine scale-out and distributed storage technology, going beyond the boundaries of first-generation hyperconverged infrastructure and offering a wide range of enterprise-class data management services.
3Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Figure 2 Cisco HyperFlex HX Data Platform architecture
Network SSDHDDCPU and memory Network SSDHDDCPU and memory . . .
. . . . Cisco HyperFlexHX Data Platform
Cisco HyperFlex HX-SeriesNodes
40-Gbpsunified fabric
Cisco UCS 6300 SeriesFabric Interconnects
ESXi Hypervisor
VM VMVMData platform
controller
VAA
I
IO V
iso
r
ESXi hypervisor
VM VMVMData platform
controller
VAA
I
IO V
iso
r
Cisco HyperFlex HX Data Platform has been demonstrated to be the industry-leading platform for hyperconvergence. It is a viable platform for applications such as Virtual Desktop Infrastructure (VDI), Virtual Server Infrastructure (VSI), and databases. It can be used in production, test, and development environments, in which multiple application instances can co-exist and be managed from a single management pane. For more information, refer to the Cisco HyperFlex systems white paper.
The data platform offers the following main benefits to the end user:
• Intelligent storage management with dynamic data distribution for balanced storage utilization, helping ensure consistent performance
• Enterprise-class storage and maintenance features such as inline deduplication, compression, snapshots, and single-button nondisruptive rolling upgrades
• Robust reporting and analytics, automation, and orchestration through Cisco UCS Director
• Adaptive infrastructure with pay-as-you-grow efficiency for production, development, test, and Remote-Office and Branch-Office (ROBO) deployments
• Ease of deployment and scaling, with deployment in an hour or less, thus accelerating time to value
• Capability to host multiple applications in one high-performance, all-flash hyperconverged infrastructure
- Single-cluster infrastructure that can host multiple application instances (Splunk, database applications, and VDI)
- Capability to carve out resources logically into multiple pools, thereby enabling seamless multitenancy
• Native data availability through three-way replication
4Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Machine data: The pulse of your digital infrastructureThe interconnected systems powering the on-premises digital data infrastructure constantly provide volumes of information about the status and details of a system’s health, operations, results, and intrusions. The application of operational analytics to this machine-generated data is essential to keep the digital machines of modern enterprises operating at high efficiency. Visibility into the operation of various IT systems at multiple levels – network switches, routers, firewalls, Internet of Things (IoT) devices, virtual machines, containers, applications, and clouds – is of paramount importance for modern enterprises.
The data generated by various systems is disparate in nature, so the traditional approach was to use custom-built tools to analyze each specific system or group of systems. This approach to analysis results
in data silos, which require much co-ordination and manual correlation to derive insights for decision makers. The repetitive and manual nature of this process limits agility, scalability, and focus.
Splunk enterprise for IT operational intelligence and security analyticsSplunk Enterprise is a leading platform for IT operational analytics. It can monitor a variety of machine data and help with the monitoring, analysis, and correlation of the operational data from the entire digital infrastructure. It thus can offer competitive and productive insights to the decision makers and business leaders. It offers custom insightful dashboards for key business decision makers, enabling organizations to achieve value fast. It also empowers engineers to drill down and perform additional targeted automated and impromptu searches for correlation across multiple tiers of machine data.
Table 1 lists sample use cases of Splunk Enterprise across major industry vertical markets.
Table 1 Sample use cases
Industry Use cases
Aerospace and defense
• Monitor the health of assets, reliability, and system integrity
• Protect critical infrastructure from cybersecurity threats
• Gain real-time insights from sensors and devices alongside the core IT infrastructure
Service providers • Accelerate service provisioning and delivery of new products
• Improve overall security posture and reduce fraud
• Improve customer experiences
Energy and utilities • Monitor the health of assets, reliability, and system integrity
• Protect critical infrastructure from cybersecurity threats
Financial services • Protect against cyber threats and fraud
• Improve IT operational efficiency
• Bring order to unstructured data
• Derive deep customer insights using machine learning and advanced analytics
Healthcare • Gain insights into system performance and interact with the broader healthcare ecosystem
• Protect patient records and comply with regulatory requirements
• Deliver better information access to patients, payers, and providers
5Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Industry Use cases
Higher education • Gain end-to-end situational awareness
• Gain visibility into IT operations, regulations, and mandates
• Improve security, compliance, and real-time monitoring of security incidents and problem mitigation
Manufacturing • Gain visibility into IT and manufacturing operations
• Improve performance and uptime of systems and applications
• Improve security posture
• Gain insight into device, sensor, and equipment performance
Online services • Improve website performance and uptime, strengthen your security posture, and improve the customer experience
• Manage cloud, on-premises, and hybrid environments
• Monitor DevOps
Public sector • Address the use cases in all three branches of government and four branches of the military
• Improve cybersecurity
Retail • Gain operational visibility across systems and applications across sales channels
• Gain visibility into order, inventory, and process tracking
• Gain real-time insights into cross-channel customer behavior
Reference architecture for Splunk enterpriseThe proven converged infrastructure solution Cisco UCS Integrated Infrastructure for Splunk Enterprise is recommended for large-scale, highly available distributed Splunk deployments. The hyperconverged all-flash Cisco HyperFlex configuration summarized in Table 2 has been
developed as a complementary offering for those customers who want their Splunk workloads to be virtualized and who are interested in a cloud like-architecture on their premises. This solution has been tested and validated with Splunk workloads with various virtual machine specifications.
Table 2 Configuration details
Server nodes 4 x Cisco HyperFlex 240c M4 All Flash Nodes, each with:
• 1 x Cisco UCS Virtual Interface Card (VIC) 1387 modular LAN on motherboard (mLOM)
• 2 x Intel Xeon processor E5-2680 v4 CPUs
• 384 GB of DDR4 RAM
• 1 x 800-GB SSD Enterprise Performance (SSD-EP) caching drive
• 23 x 960-GB SSD Enterprise Value (SSD-EV) all-flash (capacity) SSD drives
Connectivity 2 x Cisco UCS 6332 Fabric Interconnects with 32 x 40 Gigabit Ethernet ports
6Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
Figure 3 shows the configured solution.
Figure 3 Configured solution
Cisco HyperFlex HX Data Platform solutions are built on the Cisco UCS platform. They offer faster deployment and greater flexibility and efficiency at a competitive price, while lowering risk for the customer. This approach reduces or eliminates the need for planning and configuration decisions, while allowing the customization needed to address customer workload needs. The platform and management model adopted represents an extension of established Cisco UCS data center strategy, in which familiar components are managed in a consistent manner through a policy-based framework with Cisco UCS Manager.
Splunk Enterprise on Cisco HyperFlex all-flash systems
Splunk deployments typically start small and expand rapidly to address additional use cases. An infrastructure that can scale quickly to meet this need is thus of paramount importance. Cisco HyperFlex all-flash systems can be used to host a number of virtual machines that can support any of the following Splunk software roles:
• Splunk indexers: An indexer is an instance of Splunk Enterprise that parses, transforms, indexes, and stores data in a distributed manner. It searches the indexed data in response to search requests from search heads. It can also allow data input in the absence of forwarders.
• Splunk search heads: A search head is a Splunk instance specifically configured to perform only search operations in a distributed Splunk configuration. It sends search requests to the appropriate set of indexers and merges the results. Multiple search heads can be configured in a cluster for high availability.
• Splunk heavy forwarders: A heavy forwarder is an instance of Splunk Enterprise configured specifically to gather data from multiple sources and forward them to Splunk indexers.
• Multiple Splunk standalone Splunk instances: The standalone instances are Splunk indexers that are meant to index less than 5 GB of data per day. They perform data indexing and searching and offer complete dashboard capabilities.
The HX Data Platform allows computing and storage resources to be managed at very precise levels. Table 3 lists the recommended virtual machine configurations for general-purpose IT operational analytics, enterprise security, and IT service intelligence use cases.
Table 3 Virtual machine configurations for general-purpose use cases
Specifications of Virtual Machine1 building block
Splunk Enterprise for IT Operations Analytics (ITOA)
CPU: 12 virtual CPUs (vCPUs)2
Memory: 32 GB
Storage: According to the need
Index capacity per day: Up to 250 GB3
Notes:1. The virtual machine can serve as an indexer,
search head, or heavy forwarder. Please see Splunk reference architecture for virtualizing Splunk deployments.
2. For premium solutions such as Splunk Enterprise Security (ES) and Splunk IT Services Intelligence (ITSI), plan to increase the number of vCPUs and memory as needed.
3. The suggested maximum indexing capacities per indexer node are up to 250 GB per day for ITOA, and up to 100 GB per day for ITSI in ES solutions.
7Cisco HyperFlex Systems for Splunk Enterprise | Solution Overview
- Up to 2 TB daily indexing when used for ITOA use cases
- Up to 800 GB daily indexing when the system is used for ES or ITSI use cases
This solution provides the following benefits to your Splunk workloads:
- Hyperconverged platform: Built on Cisco UCS, Cisco HyperFlex system combine networking, storage, and virtualization resources in a single converged platform
- The high-performance all-flash system provides consistent performance from day 1.
- Intelligent data distribution promotes the balanced growth of Splunk indexes across the cluster, thereby helping ensure the operation of all indexers at peak performance
- Native replication helps reduce the stress on Splunk software and reduces the need for Splunk cluster management. Thus, Splunk Enterprise can perform its core functions of indexing, searching, and presenting dashboards to help provide valuable business insights
- Hyperconverged, and converged (Cisco UCS Integrated Infrastructure) Splunk Enterprise deployments can be hosted in the same Cisco UCS domain, thus providing a single management plane for virtual, physical, scale-up, and scale-out needs
- Simplified management: A single administrator can manage all aspects of Cisco UCS and the Cisco HyperFlex system through Cisco UCS Manager and VMware vCenter Web Client, making tasks much easier and faster to complete
- Rapid deployment: The programmability and ease of use of Cisco UCS Manager allow Cisco HyperFlex systems to be deployed quickly and consistently
- This feature helps operationalize Splunk deployments at a fast pace
- Organizations experience Splunk as a ready-to-use solution
- Consistent performance: Organizations gain consistent performance and significantly better utilization of the hardware and software platform resources for Splunk workloads
Table 4 provides guidelines1 for deployment scenarios for Splunk Enterprise on Cisco HyperFlex HX Data Platform.2
Table 4 Deployment guidelines
Daily indexing volume
Total users < 100 GB per day
100 to 300 GB per day
300 to 600 GB per day
600 GB to 1 TB per day
1 to 2 TB per day
Up to 4 1 combined instance
1 combined instance
1 search head and 2 indexers
1 search head and 3 indexers
1 search head and 7 indexers
Up to 8 1 combined instance
1 search head and 1 indexer
1 search head and 2 indexers
1 search head and 3 indexers
1 search head and 8 indexers
Up to 16 1 search head and 1 indexer
1 search head and 1 indexer
1 search head and 3 indexers
2 search heads and 4 indexers
2 search heads and 10 indexers
Up to 24 1 search head and 1 indexer
1 search head and 1 indexer
2 search heads and 3 indexers
2 search heads and 6 indexers
2 search heads and 12 indexers
Up to 48 1 search head and 2 indexers
1 search head and 2 indexers
2 search heads and 4 indexers
2 search heads and 7 indexers
3 search heads and 14 indexers
1 These are guidelines only. Please modify these figures based on the use cases.2 An indexer that meets the reference hardware requirements can ingest up to 250 GB per day while supporting a search load.
ConclusionMachine data offers a trove of insights, leading to organizational success and efficiency – but mining that data can be complicated without the right data analytics platform. Splunk Enterprise enables customers to derive real-time insights from this data, and Cisco HyperFlex systems’ agility, consistency, and resiliency addresses the complexities of hardware resource management and the need for rapid deployment and operationalization. Splunk Enterprise and Cisco HyperFlex systems help organizations more quickly build and maintain a
next-generation digital data center that can provide smarter business outcomes.
For more informationFor additional information, see:
• www.cisco.com/go/bigdata
• www.cisco.com/go/bigdata_design
• www.cisco.com/go/ucs
• www.cisco.com/go/HyperFlex
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2017 Splunk Inc. All rights reserved. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. C22-739511-00 08/17
