Prerequisites
- Version >=1.5.0 of the Splunk Operator requires a Kubernetes cluster of version >=1.26.0.
- The Splunk Operator requires SmartStore to be configurted for indexed data storage.
- The use of Persistent Volume Claims requires that your cluster is configured to support one or more Kubernetes persistent Storage Classes
Kubernetes Platform recommendations
The Splunk Operator should work with any CNCF certified distribution of Kubernetes. We do not have platform recommendations, but this is a table of platforms that our developers, customers, and partners have used successfully with the Splunk Operator.
| Splunk Development & Testing Platforms | Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE) |
| Customer Reported Platforms | Microsoft Azure Kubernetes Service (AKS), Red Hat OpenShift |
| Partner Tested Platforms | HPE Ezmeral |
| Other Platforms | CNCF certified distribution |
Splunk Enterprise Version Compatibility
Each Splunk Operator release has specific Splunk Enterprise compatibility requirements. Splunk Operator can support more than one version of Splunk Enterprise release. Before installing or upgrading the Splunk Operator, review the release notes to verify version compatibility with Splunk Enterprise releases.
Hardware Resources Requirements
The resource guidelines for running production Splunk Enterprise instances in pods through the Splunk Operator are the same as running Splunk Enterprise natively on a supported operating system and file system. Refer to the Splunk Enterprise Reference Hardware documentation for additional details. We would also recommend following the same guidance on Splunk Enterprise for disabling Transparent Huge Pages (THP) for the nodes in your Kubernetes cluster. Please be aware that this may impact performance of other non-Splunk workloads.
Minimum Reference Hardware
Based on Splunk Enterprise Reference Hardware documentation, a summary of the minimum reference hardware requirements is given below.
| Standalone | Search Head / Search Head Cluster | Indexer Cluster |
|---|---|---|
| Each Standalone Pod: 12 Physical CPU Cores or 24 vCPU at 2Ghz or greater per core, 12GB RAM. | Each Search Head Pod: 16 Physical CPU Cores or 32 vCPU at 2Ghz or greater per core, 12GB RAM. | Each Indexer Pod: 12 Physical CPU cores, or 24 vCPU at 2GHz or greater per core, 12GB RAM. |
Storage guidelines
The Splunk Operator uses Kubernetes Persistent Volume Claims to store all of your Splunk Enterprise configuration (“$SPLUNK_HOME/etc” path) and event (“$SPLUNK_HOME/var” path) data. If one of the underlying machines fail, Kubernetes will automatically try to recover by restarting the Splunk Enterprise pods on another machine that is able to reuse the same data volumes. This minimizes the maintenance burden on your operations team by reducing the impact of common hardware failures to the equivalent of a service restart. The use of Persistent Volume Claims requires that your cluster is configured to support one or more Kubernetes persistent Storage Classes. See the Setting Up a Persistent Storage for Splunk page for more information.
What Storage Type To Use?
The Kubernetes infrastructure must have access to storage that meets or exceeds the recommendations provided in the Splunk Enterprise storage type recommendations at Reference Hardware documentation - what storage type to use for a given role? In summary, Indexers with SmartStore need NVMe or SSD storage to provide the necessary IOPs for a successful Splunk Enterprise environment.
Splunk SmartStore Required
For production environments, we are requiring the use of Splunk SmartStore. As a Splunk Enterprise deployment’s data volume increases, demand for storage typically outpaces demand for compute resources. Splunk’s SmartStore Feature allows you to manage your indexer storage and compute resources in a cost-effective manner by scaling those resources separately. SmartStore utilizes a fast storage cache on each indexer node to keep recent data locally available for search and keep other data in a remote object store. Look into the SmartStore Resource Guide document for configuring and using SmartStore through operator.