Splunk on Nutanix Clearshark Design Guide

Splunk on Nutanix ClearShark Design Guide

UNLEASH THE POWER OF DATA WITH SPLUNK ON NUTANIX Simplified infrastructure management, proven performance, and fast time to value for Splunk deployments at scale. Advanced infrastructure and application automation ensure that Nutanix HCI keeps pace with growing Splunk requirements.

Splunk Enterprise is the leading software platform for analyzing machine data gathered from IT infrastructure and equipment of all types. It is used widely in IT for a variety of purposes, including streamlining operations, compliance, security, and auditing. Because it operates on any kind of machine data, Splunk also has applications in industries such as financial services, healthcare, oil and gas, and manufacturing, including support for Internet of Things (IoT).

Splunk lets you search, analyze, and visualize data gathered from across your IT infrastructure and your entire business, ingesting data from websites, applications, sensors, devices, and more. Once you define a data source, Splunk indexes the data stream and parses it into individual events that you can view and search.

Use Cases Splunk is used for a wide range of use cases. This design guide focuses on three use cases that are widely deployed: Security, Business Analytics, and IT Infrastructure and Operations Management.

Security. Enterprises increasingly rely on security incident and event management or SIEM to identify and protect against internal and external attacks. Splunk is widely used for security monitoring, advanced threat detection, incident response, and a wide range of other security needs.

Business analytics. Splunk analytics can allow you to discover, visualize, and explore business processes and customer experience data to gain greater visibility into end-to-end business processes. Splunk allows enterprises to analyze data streams to identify patterns, outliers, and trends and investigate the root cause of business problems to drive continuous improvement. Visual exploration can deliver greater transparency into critical business metrics.

IT Infrastructure and Ops Management. Splunk unifies and correlates metrics and logs fora seamless infrastructure monitoring and troubleshooting experience, addressing the monitoring and observability needs of busy teams. Intelligent investigations make spotting trends and finding the root cause of server, OS, VM, cloud, and container problems easier.

2 Splunk Infrastructure Challenges As the amount of data increases seemingly without bound, the job of the Splunk architect has become more challenging. Reducing complexity, improving data security, and eliminating bottlenecks are top priorities that traditional infrastructure approaches are ill-suited to address.

When it comes to analytics, the ability to extract value from data is paramount. Some data loses value quickly, making both ingest speed and processing performance critical. As the rate of data ingest grows, simply deploying and scaling resources to keep up can become painful and disjointed, limiting value gained.

Splunk consists of three main components: • Forwarders. Collect data and send it to Splunk for indexing • Indexers. Ingest, index, and store the data received • Search heads. Distribute search requests to indexers

Because each of these functions has different CPU, memory, and storage requirements, architecting an ideal infrastructure environment can be very difficult.

Traditional approaches to Splunk and other big data infrastructure have become an impediment to continued success.

Security Standards and Certifications Nutanix employs multiple security standards and validations programs. It complies with the strictest international standards, including the SP800-53 guidelines, to assure governments worldwide that Nutanix products perform as expected and work with their existing technoloy.

3 Why Choose Nutanix for Splunk? Nutanix takes the complexity out of managing infrastructure for Splunk. It allows Splunk Nutanix HCI simplifies infra- to take full advantage of server virtualization without the limitations of bare metal or structure management across virtualized solutions on traditional infrastructure, making it possible to quickly fine tune the entire lifecycle, automates the number and configurations of Splunk indexers and search heads. By ensuring data operations, and enables is accessed locally by all Splunk indexers, Nutanix eliminates the “I/O Blender” effect self-service to streamline that plagues storage systems in traditional three-tier infrastructure. Splunk operations.

Splunk deployments grow rapidly as new data sources are added. With Nutanix, you One-Click Operations can start small and scale out without worrying about the bottlenecks that can occur Intelligent, one-click operations with traditional architectures: take the pain and effort out of daily activities, including soft- • Ingest terabytes of data per day. A compact 4-node, 2U cluster provides sequential ware installs, upgrades, and throughput of gigabytes per second. workload placement. Advanced analytics provide insigh into • Process millions of events. A 4-node cluster can process hundreds of thousands your Splunk environment, of events per second. giving you instant visibility into utilization, growth rates, • Scale incrementally. Start small and scale linearly as nodes are added. and other critical planning information. • Reduce TCO. Cut total cost of ownership by as much as 50%.

• Shrink footprint. A good infrastructure design can reduce your Splunk footprint as much as 4x.

Nutanix HCI provides linear scaling, so Splunk deployments can grow without worry. Find Out More: Each additional node delivers predictable performance to support Splunk search heads • Definitive Guide to Big Data and indexers. Because of its distributed architecture, a Nutanix enterprise cloud prevents • Nutanix Solution for Splunk one workload from starving another, allowing Splunk operations to share infrastructure • Virtualizing Splunk on Nutanix with other workloads if desired. Built-in capacity planning alerts your team proactively when additional capacity is needed to accommodate growth.

4 SPLUNK USE CASE 1: Security Information and Event Management (SIEM)

Splunk provides an analytics-driven, modern SIEM solution for gathering security context in one view to facilitate rapid investigations and response.

SIEM is resource-intensive and requires an experienced team to implement, maintain, and fine tune. It also requires high-quality data—the bigger the data source, the better the results. SecOps teams frequently want independent, isolated infrastructure that’s easy to manage and to scale since: • Complex infrastructure management hinders the provisioning and tuning of SIEM input. • Legacy hardware is difficult and expensive to compartmentalize for standalone deployments.

Because of its built-in security and simple management, Splunk on Nutanix is the ideal platform to support SIEM, streamlining scaling and other infrastructure operations without sacrificing performance.

The Nutanix architecture takes a security-first approach; built-in features deliver defense in depth so that your valuable data is always protected. Nutanix incorporates security into every aspect of the software development process, from design and development to testing and hardening. To ensure compliance, the Nutanix platform is certified under a broad set of evaluation programs. The result is a greatly reduced attack surface and safer data: • Built-in two-factor authentication, cluster lockdown, and software or hardware-based encryption • Secure installation and simplified security maintenance • Nutanix Flow for microsegmentation and enhanced network visibility • Deep integration with a broad ecosystem of security partners

5 Customers often dedicate a Nutanix cluster to SIEM for maximum isolation of critical security Splunk on Nutanix gives processes, but you can also deploy Splunk on shared infrastructure without sacrificing security. security experts more time to spend extracting insight Deploying Splunk for SIEM at Nutanix from data. The Nutanix cybersecurity team has been running Splunk on the Nutanix platform since 2017. The Splunk environment has had to scale rapidly to accommodate growth. Ingest increased more than 10x from 2017 to 2018—to more than 1TB per day—yet the Find Out More: node count only increased 3x. • Big Data and SIEM for Federal Agencies (Webinar) Prism management enables the team to address events quickly without involving the • Essential Security Planning infrastructure team. Memory, CPU, and storage capacity can be added with just a few for Private Cloud clicks, allowing issues to be resolved in moments. • Nutanix AHV: Security at the Virtualization Layer The Nutanix presentation from Splunk .conf19 has more details. • Protect Your Apps and Data

6 SPLUNK USE CASE 2: Business Analytics

Splunk can discover, analyze, visualize, and monitor event data from any source. Splunk business analytics lets you combine machine data and traditional structured data to gain greater business insight. Every business process and every line of business across an enterprise can see potential benefits.

For example, a small deployment might be used to tackle an issue on a production line or for a proof of concept deployment on a factory floor. A remote deployment faces unique challenges such as scaling equipment to handle significant amounts of data in limited space in less-than-ideal conditions, that are impossible for a traditional three-tier solution to address. With advanced HCI and capacity optimizations such as compression, deduplication, and erasure coding, Nutanix can slash your footprint by up to 4x.

A modest-sized Nutanix cluster can ingest terabytes of data per day, process millions of events, and scale performance incrementally as needs grow.

“ Traditional IT infrastructure is not well-suited to address the needs of growing Splunk installations. Nutanix Enterprise Cloud brings the operational efficiencies of virtualization to Splunk, while ensuring top performance for our I/O-intensive workloads. Nutanix has delivered an extremely scalable, high- performance search and indexing platform for our transaction- heavy Splunk workloads. ” — Cyrille Valery, IT Director, Verint Systems Inc.

7 Nutanix offers substantial benefits for Splunk business analytics deployments both Find Out More: inside and outside the datacenter: • Verint Case Study • Benefits of Splunk Enterprise • Easy to Deploy. Simple to install and configure, can deploy in minutes to hours on Nutanix versus days or weeks.

• Easy to Operate. Infrastructure can be operated by non-experts when necessary.

• Manageable Offsite. Most infrastructure management can be performed from a central, offsite location.

• Ruggedized Equipment. Nutanix HCI is available in ruggedized configurations to handle tough environmental conditions including temperature, vibration, etc.

Nutanix HCI scales down as easily as it scales up. Simple building blocks create a powerful and flexible scale-out architecture. You can start small and scale as necessary without upfront guesswork or expensive overprovisioning. Splunk can share infrastructure with other applications, or you can dedicate a cluster to your analytics application for maximum isolation.

8 SPLUNK USE CASE 3: IT Infrastructure and Ops Management

Nutanix reduces system complexity and enables your Splunk environment to operate at peak efficiency.

IT operations teams need a clear view of infrastructure performance, availability, and other metrics. Splunk can provide a comprehensive view of your entire IT infrastructure. It unifies and correlates metrics and logs for a seamless monitoring and troubleshooting experience that addresses the needs of your organization.

IT departments are using Splunk to help improve efficiency, reduce risk, and meet mission objectives. Many have discovered the utility of Splunk’s unique approach to big data analytics to provide real-time insights for IT success.

However, many organizations are constrained by tight budgets and legacy infrastructure challenges. Infrastructure teams spend too much time managing the complex infrastructure necessary to support Splunk—a tool that is intended to make monitoring easier and more reliable. Legacy infrastructure is too inflexible to effectively scale to meet the needs of modern low-latency Splunk applications with high data volumes.

With the Nutanix scale-out architecture, you can start with a small Splunk deployment to tackle critical problem areas. Over time as budgeting allows—or as data growth demands —you can scale out by adding nodes. Nutanix HCI scales linearly on your terms.

Simplified management lets you see all metrics related to Splunk operations in one place and makes it simple to do capacity planning. Nutanix Prism even recommends the best infrastructure choices to grow your cluster.

9 Nutanix supports a broad range of infrastructure options, including Nutanix NX appli- Find Out More: ances and solutions from leading server vendors. With Nutanix, you can always pick • Splunk on Nutanix the best option to fine tune compute, capacity, and I/O performance for your Splunk • Splunk Solution Brief cluster. GPU-accelerated nodes are available to support machine learning and AIOps. • Definitive Guide to Big Data

10 Meeting Splunk Data Retention Compliance with Nutanix Objects Nutanix works with Splunk SmartStore to automate management of hot and cold data, eliminating the need for constant oversight.

Managing storage capacity and performance is a significant pain point for Splunk, which can require low-latency data for real-time data processing plus massive storage capacity for archiving cold data.

Because Nutanix consolidates all data services on the same platform with compute, it simplifies provisioning and management while increasing utilization. Data locality and intelligent tiering ensure optimum performance without constant tuning, while eliminating the need to architect and manage separate tiers of storage for Splunk data.

Splunk SmartStore automatically moves cold Splunk data to an on-premises or cloud object store. Nutanix Objects is ready to run Splunk SmartStore. Objects runs on an existing or dedicated Nutanix HCI cluster, providing flexible, on-premises object stores that can be optimized to deliver a range of performance characteristics depending on your needs without adding management complexity.

Nutanix Objects can accommodate all the unstructured data to support SmartStore, and it offers WORM functionality for immutability and chain of custody control.

11 Benefits of Nutanix Objects • Simplified scale-out object storage. Nutanix Objects features multi-cluster support Find Out More: to deliver massive-scale object stores. You can leverage a single namespace across • Nutanix Objects multiple Nutanix clusters, managed from a single console. – Objects (Datasheet) • How to Set Up Splunk • Deep storage nodes. Nutanix Objects 2.0 supports high-capacity nodes with up SmartStore with Nutanix to 350TB of storage, enabling multi-petabyte objects stores to reside on a single Nutanix cluster.

• Enhanced security. Nutanix Objects 2.0 also provides WORM on non-versioned buckets to address a variety of regulatory and compliance mandates.

• Substantial savings. Running Splunk on Nutanix along with Splunk SmartStore yields substantial cost savings.

With Nutanix Objects, you aren’t just better equipped to store Splunk data—you’re also better able to manage, search, and gain actionable insights from your data.

12 Automating Splunk Deployments with Calm Nutanix Calm orchestrates the provisioning, scaling, and management of Splunk across Find Out More: environments, making your Splunk environment more agile and application-centric. • Nutanix Calm • Unleash the Power of As Splunk use cases proliferate within an enterprise, the need to automate infrastructure Machine Data and software deployments increases. After a successful proof of concept, you may want to deploy the exact same configuration in tens or even hundreds of locations. A one-click automated solution improves efficiency and adds the consistency of automated configuration.

With Nutanix Calm, you can deploy a standard or custom Splunk blueprint and have a usable Splunk environment in minutes, dramatically simplifying new deployments and reducing time to value. With Calm, Splunk becomes an easily consumable service.

Calm can also automate common lifecycle management operations such as the ordered start/ stop/restart of a particular set of services or scaling a deployment up or down. These operations can be accessed by analytics teams via self-service, offloading those tasks from IT.

13 ClearShark and Nutanix Calm ClearShark is an engineering-focused IT Solutions Provider and partners with both Nutanix and Splunk to provide solutions to the Intelligence Community, Department of Defense, and Civilian Agencies.

ClearShark has designed Calm blueprints to not only deploy a Splunk cluster but do so using Splunk Professional services base configurations. This ensures that you are deploying and managing the Splunk assets using configurations that Splunk Professional For more information, Services has developed and uses across all engagements. Splunk Professional Services please visit clearshark.com will understand how your Splunk cluster has been deployed, even if they are not trained on Nutanix Calm. follow on • LinkedIn ClearShark Insights • Twitter Chuck Perry, Solutions Architect and ClearShark SME on Nutanix: “The Calm blueprint • Facebook has been designed to offer Indexer and Search head cluster scale out. With the click of a button, you can automatically add to the cluster to handle additional load and capacity. The blueprint also allows for user supplied values to customize settings before being deployed. These settings can be validated via automatic testing to ensure they comply with your organization’s standards i.e., server naming policies. The blueprints can be used to deploy everything from your development to production environments.”

Some noteworthy accolades: ClearShark was announced the Nutanix Global Public Sector Partner of the Year for 2020, as well as the Splunk Public Sector Professional Services Partner of the Year for 2021. ClearShark has one of the largest Splunk Professional Services teams in the world and continues to grow.

14 Getting Started with Splunk on Nutanix Nutanix HCI reduces the cost of deploying and operating Splunk, • What’s your likely ingest rate over the next 6 months? while increasing service levels. Nutanix provides a secure, scal- • How much data will you need to store/archive long-term? able, end-to-end solution to run Splunk applications, and it is uniquely suited to Splunk infrastructure needs. Because Nutanix • Will your company need to deploy Splunk across multiple eliminates IT complexity, simplifies management, integrates data locations? services, and improves data protection and security, it enables Splunk deployments to be more agile, more scalable—and Using the information discussed in this guide, you can begin ultimately, more effective. thinking about and planning a Splunk deployment that addresses your use case(s) and meets your needs. Use the links provided To begin designing your Splunk deployment, start by answering in each section to dig deeper into specific topics. a few simple questions: To learn more about how Nutanix can help you transform your • Refresh or new deployment? approach to Splunk infrastructure, visit: www.nutanix.com/solu- • Which hardware solution will you choose? tions/big-data/splunk – Nutanix NX Appliances – OEM platforms You can contact Nutanix at [email protected], follow us on – Third-party servers Twitter @nutanix, send us a request at www.nutanix.com/ demo to set up your own customized briefing, or take a free (See Hardware Platforms for the latest information) test drive. • What virtualization software will you run? – Nutanix AHV, VMware vSphere, Microsoft Hyper-V Test Drive • What additional security measures are required? – Encryption – Microsegmentation • What’s your Splunk use case or use cases? • Will you deploy a dedicated Nutanix cluster to support Splunk or run on shared infrastructure?