Software Defined Data Center (SDDC)SplunkNutanixCI & HCISecurity OperationsData CenterSecurity Transformation
Article6 minute read

Splunk on Nutanix Controversy – Answer for Yourself

HCI (and specifically Nutanix) has historically been looked down upon as viable infrastructure technology to host Splunk. This article helps readers make their own fact-based decisions based on Nutanix innovations.

In this article

Not a week goes by where we don't hear about a customer Splunk opportunity. Often these opportunities include the usual suspects for the underlying infrastructure, whether this is traditional dedicated storage or servers with JBOD. Every now and then, however, Nutanix comes up in conversation — and will often get quickly dismissed.

Why is that? Perhaps Nutanix isn't a good fit? Or perhaps there are misconceptions about the technology's capabilities? Based on what we can gather, more often than not, it's the latter. Before reading any further, take a pause here and answer this question for yourself:

With your current knowledge of Nutanix, on a scale of 1-10 (10 being the best), how do you rank Nutanix's ability to accommodate Splunk workloads at scale?

number scale

 To VMware or not to VMware

Many organizations today choose to virtualize Splunk for portability and recovery purposes. Different components of the Splunk architecture can have hefty compute requirements, leading to higher than anticipated hypervisor costs. What you need to know:

  • Running Splunk virtual machines on top of vSphere with Nutanix as the infrastructure and storage provider is certified and supported by all vendors.
  • Nutanix has their own hypervisor (AHV) that is included with Nutanix AOS licensing purchases for which Splunk is certified and supported.

What this means for customers: Virtualizing Splunk with either vSphere or AHV is fully supported on both hypervisors. Running the environment with Nutanix AHV offers additional cost savings.

 Storage-only scaling

It's no secret that Splunk is a storage hungry application. The question is, how does Nutanix scale from a storage perspective?

  • Nutanix offers storage-only nodes for both vSphere and AHV hypervisors.
  • Storage only nodes can be incorporated in vSphere environments without additional vSphere hypervisor licensing.
  • Nutanix currently offers 120TB storage only nodes in a 2U footprint for block storage (hypervisor-based).
  • For Objects and Files, Nutanix offers a 320TB storage only node in a 2U footprint (more on this in the next section).
  • Start with the storage footprint needed for the immediate or near future and incrementally scale as data ingest and retention requirements increase.

What this means for customers: Nutanix addresses the storage capacity requirements with its ability to scale storage independently of compute resources, allowing for better TCO. If a customer chooses to deploy Splunk with vSphere as the hypervisor, there are no additional vSphere hypervisor costs for scaling storage. Furthermore, the flexible and linear storage scaling of the platform allows for better resource utilization over time.

With the information from the last two sections, how has your score been affected thus far?

1-10 scale

 Hot, warm, cold and frozen buckets?

Splunk has the concept of being able to move data around based on age or how often it is accessed. Understanding these requirements is important when architecting a proper Splunk environment regardless of the underlying infrastructure, but did you know that Nutanix supports Splunk SmartStore?

At a high level, Splunk SmartStore provides a way to use remote object stores such as Amazon S3 or… wait for it… Nutanix Objects! Nutanix Objects is essentially an on-premises high-speed S3 target that supports 320TB of raw storage in a 2U footprint. This allows for efficient scaling of Splunk's cold and frozen buckets, delivering high density and high performance beyond the traditional alternative approaches.

Nutanix Objects can also be used as the target for cold and frozen tiers irrespective of what's being used for the front-end architecture (hot/warm buckets and physical deployments). If SmartStore is being evaluated for an existing Splunk deployment, Nutanix Objects can be a great fit to address the storage requirements.

One of the biggest concerns with running Splunk on Nutanix in the past has been the requirement to have two copies of the data managed by Splunk and two copies of the data managed by Nutanix (resulting in having four copies of data). This is excessive for any organization, but SmartStore support helps address this issue for what is typically the most storage hungry portion — storing the cold and frozen data. Post-process compression on top of what Splunk offers and the use of erasure coding further alleviate this perceived issue.

What this means for customers: Dense storage nodes are available to help reduce data center footprint while keeping a single technology/interface to manage the cold and frozen buckets and keeping performance intact. Nutanix can also be inserted in existing Splunk deployments as a SmartStore target for cheap yet performant storage.

 The intangibles

How does a customer manage the entirety of the solution? It's hard to put a cost value around this, and some customers don't, which is OK. However, consider these bullet points when evaluating a Splunk infrastructure:

  • How are the servers centrally managed, how are firmware and software updates applied, how is lifecycle management performed, etc.?
  • What steps must be taken to expand the environment or adjust to new performance needs?
  • How is the storage managed and distributed?
  • Support model for resolving issues. What component is causing the issue, and who is responsible?

This isn't anything new with Nutanix, but it's important to note that Prism and/or Prism Central will be the only interfaces customers need to work in when doing all the tasks above. This can have big impacts on getting the environment expanded, patched and secured, and lower the time to resolution in the event of a failure. 

What this means for customers: Single vendor for both compute and storage, including if Nutanix Objects is used. This also provides a true single-vendor support model.

 Final score

There are certainly other aspects to consider when designing a large Splunk deployment, such as performance, which can't be overlooked. We haven't included anything here and made brief mentions throughout, but every customer is different with different requirements, and that makes the answer: "it depends." We've done a lot of performance testing over the years on the Nutanix platform, and we're confident this will not be a bottleneck. If you'd like to test for yourself, we've got the gear in our ATC

Knowing what you know now, where do you rank Nutanix as a viable Splunk infrastructure solution?

scale of 1 to 10

Hyper-converged infrastructure has matured a lot in recent years. We've historically leaned towards the orange/yellow portion of the scale when it comes to running Splunk on top of Nutanix. Still, the technology and its portfolio have matured a lot over time, and we're confident that Nutanix is a good fit for Splunk workloads. Let us know in the comments below where your score was initially and if it changed (for better or worse) as this information was presented.

If you'd like to get hands-on experience, check out our Nutanix on-demand lab and reach out to your WWT account team to schedule a more in-depth proof of concept.

Technologies