Splunk Validated Architectures

I’m amazed at the amount of content that exists around Splunk architecture these days. When I was a consultant building Splunk deployments, the largest installation was collecting 20 TB/day and had hundreds of users. Nowadays, these deployments are more common than you think, and the upper bound of deployments are indexing Petabytes of data per day and have thousands of users!

Interestingly, some things don’t change, including the fundamentals of Splunk architecture and the awareness of content. Speaking of awareness...great content exists, so let’s talk about Splunk Validated Architectures (SVAs)!


All of this began many years ago when the experienced consultants were pining for a standardized deployment. We all knew what it should be (mostly), but always ran into a reason not to publish something. From there a project began—to create a living document that details exactly what to build for most scenarios.

Certainly there will be some deployments that require special needs, but we believe those can be addressed very easily as long as fundamentals are adhered to. Creating this document would solidify the foundations for what people publicly and privately agree upon as the proper way to architect a Splunk deployment. Huge kudos to Stefan Sievert for building and maintaining the Splunk Validated Architectures (SVAs)!

Kind of a Big Deal...

While the product documentation is fantastic at many things, we’ve always been left with commonly repeated questions about architecture and what works. Since everybody has different needs, it's really difficult to create something that works for everyone, but SVAs are standardized formats for deployment that you can leverage with confidence.

We've combined extensive internal and field research to build the "Splunk Validated Architectures" white paper. Within it, you'll find various types of architectures to meet specific deployment needs, whether they involve simple distributed deployments, or highly resilient deployments that leverage all of Splunk’s clustering features.

The document guides you through discovery questions that will identify the topology you need to meet your specific requirements. This ensures that your deployment reflects a scalable, repeatable and manageable implementation of Splunk, and does so at the best possible total cost of ownership (TCO).

SVAs are useful not just for you as a partner or customer, but they're also being applied by Splunk teams across the organization—from pre-sales teams to professional services staff. They're an integral part of the implementations we help our customers deploy to be successful.

But we won’t stop here.

Work is already underway to transform the static PDF document into an interactive architecture selection tool, as well as extend the scope to include deployment environment choices (physical, virtual, etc.) and integrate sizing calculators to not only recommend your deployment topology, but also provide you with detailed information on machinery you need to process your specific data ingest and search workloads. Stay tuned!

Read the latest version of the "Splunk Validated Architectures" white paper, or check out the slides and recording from our .conf18 session, "The Hitchhiker's Guide to Splunk Validated Architectures."

And for those of you who are part of our Partner+ program (Resellers, Professional Services, Technology Alliance Partners), I encourage you to attend our upcoming “Meet the Experts” webinar on January 31st. Stefan will tell you all about the latest updates to SVAs.

Simeon Yep

Posted by


Show All Tags
Show Less Tags