Fast and Simple Splunk for Kubernetes

The amount of data an average enterprise generates on any given day is enormous. With companies embracing microservices and meaningful investments being made to expand hybrid cloud footprints, many enterprises are turning to Splunk to gather near real-time insights about their distributed infrastructure and applications.

However, in 2020, many are also being asked to do more, with less.

In this blog post, we’ll introduce a new way to deploy and scale Splunk using pure cloud-native technologies to optimize the architecture, dramatically improve data ingest, and ultimately run more efficiently and save money.

Containerizing Splunk

Containers are often associated with simple web applications, but as Kubernetes and the surrounding ecosystem has matured, that assumption is rapidly changing. The standard architecture of a Splunk environment lends itself well to be containerized which opens the door to many immediate advantages:

  • Increased portability — Since a container contains everything an application needs to run (libraries, runtimes, etc), it’s easy to put a container anywhere, whether on-premises or in the cloud.
  • Simple, fast deployment — Containers make deployment simple, giving you a master image to deploy numerous replicas on demand. Spin up and spin down containerized applications as you desire.
  • Improved flexibility — You can scale containerized applications quickly and easily by moving a container to additional hardware or cloud instances on the fly or scaling out with additional replicas.
  • Enhanced productivity — Containers cut down on development and deployment time, simplifying the install process and reducing errors.
  • Better security — Containers improve workload isolation and help protect from outside threats.

The harder aspect of containerizing Splunk is actually building reliable and secure artifacts that make up a typical Kubernetes application deployment. That’s where Helm charts come in. Helm charts are an open source packaging format used to define complex containerized applications and the configuration of all the components necessary to deploy the application. With a Helm chart, it is incredibly simple to stand up an entire Splunk environment including forwarders, indexers and search heads with a single command of $ helm install [chart directory]

Deploying to a Splunk Validated Architecture (SVA)

To enable customers to rapidly deploy a Splunk environment on Kubernetes, Diamanti and the Kinney Group – a Splunk Professional Services Partner of the Year winner – have collaborated to build a Helm chart that adheres to a Splunk Validated Architecture. SVAs are blessed architectures that have been tested and approved for use by Splunk as a way to standardize different deployment models. The specific SVA that we’ve optimized for is known as the C1 / C11 SVA for single-site, clustered deployment.

The Helm chart supports the following design intended to be deployed across 3 Diamanti nodes:

  • 8 Indexers
  • 1 Enterprise Security Search Head
  • 1 Cluster Master
  • 1 License Master
  • Up to 4 Forwarders

Using this Helm chart, companies get up and running with a containerized Splunk deployment on the Diamanti platform in minutes.

And the results are fantastic!

With Diamanti’s high performance architecture and patented I/O acceleration technology, companies are able to ingest several terabytes of data a day without issue.

To learn more about this validated design and testing results and to learn how to get access to the Helm charts, please join us tomorrow for a joint webinar with Dell Technologies and Kinney Group: Deploying Splunk on Dell / Diamanti for increased savings and performance

Register for the Webinar


For more information about improving your Splunk deployment: