Dell Storage, PowerStore, PowerFlex PowerMax & PowerScale, Virtualization & Containers Technologies
A Guest post by Anuraj PD SmartStore is an indexer capability that provides a way to use remote object stores, like Dell ObjectScale, to store indexed data. As a deployment’s data […]
A Guest post by Anuraj PD
SmartStore is an indexer capability that provides a way to use remote object stores, like Dell ObjectScale, to store indexed data. As a deployment’s data volume increases, demand for storage typically outpaces demand for compute resources. SmartStore allows you to manage your indexer storage and compute resources in a cost-effective manner by scaling those resources separately. SmartStore introduces a remote storage tier and a cache manager. These features allow data to reside either locally on indexers or on the remote storage tier. Data movement between the indexer and the remote storage tier is managed by the cache manager, which resides on the indexer.
In this demo we are going to deploy the Splunk on RedHat OpenShift Cluster. In Splunk Smartstore most of the data resides on remote object storage and we will be using S3 Buckets provisioned in Dell ObjectScale for storing these data. The Splunk indexer also maintains a local cache that contains minimal amount of data – hot buckets, copies of warm buckets participating in active or recent searches, and bucket metadata. Dell PowerFlex is integrated with the RedHat OpenShift Cluster using the Dell CSM, Persistent volumes from the PowerFlex will be used to store the indexer local data.
Dell ObjectScale is high-performance containerized object storage built for the toughest applications and workloads—Generative AI, analytics and more. Please read more about Dell ObjectScale here. Dell PowerFlex, a software-defined infrastructure, provides a solid foundation for the customers for their IT infrastructure modernization. Please read more about Dell PowerFlex here.
Install Splunk Operator from the RedHat OpenShift Operator Hub.
RedHat OpenShift Cluster is integrated with Dell PowerFlex using the Dell Container Storage Modules.
Dell ObjectScale Console.
Create S3 Bucket in Dell ObjectScale.
Create User for accessing the S3 Bucket.
Create a Secret with the access and secret key.
| # oc create secret generic s3-secret –from-literal=s3_access_key=OKIAAE0DDAF7E3C9C720 –from-literal=s3_secret_key=ofO9mIL9f8swYSCjbqifRSKSykr1zyorsrI85R6K -n splunk |
Create Splunk Custom Resources. In the Clustermanager custom resource the ObjectScale S3 configurations are provided.
| # cat splunk.yaml — apiVersion: enterprise.splunk.com/v4 kind: ClusterManager metadata: name: cm namespace: splunk finalizers: – enterprise.splunk.com/delete-pvc spec: monitoringConsoleRef: name: mc etcVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 16Gi varVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 32Gi smartstore: defaults: volumeName: s3vol indexes: – name: oslogs – name: networklogs – name: securitylogs volumes: – name: s3vol path: splunk/data/ endpoint: https://s3.vdi.xtremio secretRef: s3-secret — apiVersion: enterprise.splunk.com/v4 kind: IndexerCluster metadata: name: idc namespace: splunk finalizers: – enterprise.splunk.com/delete-pvc spec: replicas: 3 clusterManagerRef: name: cm monitoringConsoleRef: name: mc etcVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 16Gi varVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 32Gi — apiVersion: enterprise.splunk.com/v4 kind: SearchHeadCluster metadata: name: shc namespace: splunk finalizers: – enterprise.splunk.com/delete-pvc spec: replicas: 3 clusterManagerRef: name: cm monitoringConsoleRef: name: mc startupProbe: initialDelaySeconds: 300 timeoutSeconds: 30 periodSeconds: 30 failureThreshold: 30 etcVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 16Gi varVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 32Gi — apiVersion: enterprise.splunk.com/v3 kind: MonitoringConsole metadata: name: mc namespace: splunk finalizers: – enterprise.splunk.com/delete-pvc spec: etcVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex storageCapacity: 16Gi varVolumeStorageConfig: ephemeralStorage: false storageClassName: powerflex
# oc apply -f splunk.yaml |
Verify the Splunk Pods and PVCs.
Splunk Console.
Verify the Volumes in Dell PowerFlex.
S3 Bucket from Dell ObjectScale used by Splunk Indexer Cluster. We can see the Splunk SmartStore has created the required directory stucure in the S3 Bucket.
Create LoadBlanacer Service to forward logs to the Splunk.
Splunk Universal Forwarder on a linux machine configured to forward logs to the Splunk Indexer.
Splunk Console with logs from the test machine.
You can view a demo, showing how it all looks, below:
