Version 7.3 of the Splunk Enterprise machine data analytics and visualization platform is now available, and with it will come enhanced, more enterprise and production-grade support for Splunk’s SmartStore capability. This is significant because SmartStore stands to greatly lower the cost structure of deploying Splunk at enterprise scale.
Today, Splunk implementations are struggling with the need to meet very large capacity and very fast search performance requirements without breaking the budget. This is because compute and storage cannot be scaled independently. As the Splunk application requires additional storage capacity, additional compute capacity must also be added, whether or not it is needed – and vice versa. With Splunk implementations becoming more popular and being scaled out as their value is established, this is a significant pain point. SmartStore improves Splunk storage economics by decoupling compute and storage, so that they may be added independently, as they are needed. A middle, “warm tier” of storage that is also capacity-oriented may be created.
Splunk Enterprise 7.3 adds a number of capabilities that remove hurdles to SmartStore adoption for enterprises. New features added include support for Splunk Enterprise Security, which provides visibility that enables IT teams to more quickly detect and respond to both internal and external attacks. It also adds report acceleration and data model acceleration summaries, which can reduce the time it takes to complete a search. The 7.3 release also adds enhanced resiliency, scalability, and the ability to support SmartStore on non-clustered standalone indexers.
Capitalizing on SmartStore requires the underlying storage infrastructure to be optimized in a specific way. An on-premises storage infrastructure tends to be more cost-effective over time when compared to paying continually escalating bills for ever-increasing cloud storage capacity. A distributed and open-source architecture can make this scalability both simplified and flexible. IT can deploy various systems to address varying application requirements, such as performance and availability, while simultaneously integrating them under a common global namespace to avoid data silos. At the same time, IT can also easily add more systems as application workload needs change.
Splunk workloads cannot sacrifice on performance, so the SmartStore storage architecture needs to retain fast performance in addition to scalability and cost-effective capacity. An architecture that enables data to be delivered in parallel from multiple storage nodes to a common compute cluster can help to accelerate performance.