Deploying Splunk Enterprise On Microsoft Azure Cloud

Copyright
© 2016 Splunk Inc.
Deploying Splunk Enterprise On

Microso= Azure
Pramit Gupta
Senior So=ware Engineer, Microso= CorporaCon
Roy Arsan
SoluCons Architect, Splunk

Disclaimer
During the course of this presentaCon, we may make forward looking statements regarding future
events or the expected performance of the company. We cauCon you that such statements reflect our
current expectaCons and esCmates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐
looking statements made in the this presentaCon are being made as of the Cme and date of its live
presentaCon. If reviewed a=er its live presentaCon, this presentaCon may not contain current or
accurate informaCon. We do not assume any obligaCon to update any forward looking statements we
may make. In addiCon, any informaCon about our roadmap outlines our general product direcCon and is
subject to change at any Cme without noCce. It is for informaConal purposes only and shall not, be
incorporated into any contract or other commitment. Splunk undertakes no obligaCon either to develop
the features or funcConality described or to include any such feature or funcConality in a future release.
2
ObjecCve:
Deploy, manage & integrate your Splunk

Enterprise deployment in Azure
3
Bios
Roy Arsan Pramit Gupta
•  4 Years @ Splunk •  14 Years @ Microso=

•  Roles in: •  Roles in:
–  Product Engineering –  SharePoint Enterprise Content
–  Cloud Architecture Management
–  Partner IntegraCons –  Office.com Portal
•  Currently focused on cloud partner –  Office Client Monitoring and
Telemetry
ecosystem
•  Currently focused on cloud services
and data analysis
4
Agenda
  Azure IaaS
Splunk Azure Deployment @ Microso= Office
  Provisioning & AutomaCon
  Azure Best PracCces
Splunk & Azure IntegraCons
5
Agenda
  Azure IaaS
6
Azure Infrastructure
Why Azure?
  Top IaaS market leaders

  120k+ new Azure customer
sub/month
  5M organizaCons using
Azure AD
  Commercial cloud exceeds $10B
annual run rate, $20B+ by 2018
Gartner IaaS Magic Quadrant, 2016
8
Azure Virtual Machines (VM)
  Available in 24 Regions
  Billing:
–  Pay-‐As-‐You-‐Go or Prepaid (5% discount)
–  Per-‐minute basis
9
Azure VM SelecCon
  VM Image:
–  Linux & Windows
–  Extra $ for Windows
(addiConal cost of 40% to 90%)
  VM Disks:   VM Size RecommendaCon:

–  Local temporary disk –  8+ CPU cores
–  Network-‐amached persistent –  14GB+ RAM
disks (VHD) –  MulCple data disks (6+)
ê  1 OS disk –  Compute-‐opCmized:
ê  1+ data disks (up to 64) ê  Dv2-‐series (& DSv2-‐series)
ê  F-‐series (& Fs-‐series) – Best !/$
10
Azure VM SelecCon
Indexers
VM Size Daily Indexing Performance
Volume (GB)
Standard_F8(s) Up to 100 Good
Standard_F16(s) 100-‐150 Bemer
Standard_D(S)15_v2 150-‐250 Best
Search Heads Deployment Server,
License or Cluster Master
VM Size Concurrent Performance
Users VM Size Performance
Standard_F16(s) Up to 8 Good Standard_F4(s) Good
Standard_D(S)15_v2 Up to 16 Bemer Standard_F8(s) Bemer
11
Disk Storage SelecCon
  VHD stored as Page Blob in Azure Storage

  High durability & availability
  Scalable
  Two types of VHDs:
–  Standard Storage (HDD)
ê  Up to 1TB
–  Premium Storage (SSD)
ê  3 sizes: 128GB, 512GB, 1TB
12
Disk Storage SelecCon
  Premium storage recommended
–  Consistent high throughput and low latency
  Standard storage also feasible….if configured correctly
–  Minimum 6+ disks striped in RAID0
–  Enable “ReadOnly” host caching
–  More economical
Disk Type IOPS Throughput

Standard 500 (8KB) Up to 60MB/s
Premium 5,000 (256KB) Up to 200MB/s
13
Technical Brief -‐ Splunk On Azure
hmps://www.splunk.com/pdfs/technical-‐briefs/deploying-‐splunk-‐enterprise-‐on-‐microso=-‐azure.pdf
14
Agenda
  Azure IaaS
Splunk Azure Deployment @ MicrosoK Office
15
Splunk Azure Deployment
@ Microso= Office
Office Client Telemetry -‐ Challenges
  Delight customers, improve saCsfacCon
–  Respond quickly to feedback and fix bugs effecCvely
–  Move from mulC year cycle to rapid releases

  Office client applicaCons collect 100s of TB diagnosCcs data per day
–  Enabling engineers to browse through this much data isn’t easy
–  Regression risk, huge legacy complex code base, shared components

17
Office Client Telemetry -‐ Splunk
Splunk provides near real Cme search and diagnosCcs capability to
Office engineers

Examples
  Observe crash rates of an applicaCon
  AdopCon of a new feature, a new bumon in the Office ribbon
  Dashboard to quickly monitor and alert on key metrics

18
Office Client Telemetry -‐ Goals
  Data access
–  24hrs+ down to 30min

  MTTD
–  Several days down to 6hrs

19
Office Client Splunk -‐ Architecture

20
Billion
devices
Office Apps
21
Telemetry
TRE

Rules
Engine
TRE

TRE

TRE

Office Apps
22
Nexus Western US

Payload
TRE Processor

Azure Blob
TRE Storage

TRE

TRE

Office Apps Nexus
23
Nexus Western US

Payload
TRE Processor

Azure Blob
TRE Storage

Nexus South East Asia

10 Azure
TRE

Nexus Eastern Europe regions
worldwide
……
TRE ……

Office Apps Nexus Global Stamp
24
Nexus Western US

Payload
TRE Processor

Zipped Batch
Azure Blob
TRE Storage

TRE Nexus Eastern Europe

……
TRE ……

25
Nexus Western US

Payload Token
Azure
TRE Processor Event Hub

Zipped Batch
Azure Blob
TRE Storage


……
TRE ……

26
Nexus Western US

Payload Token
Azure

Zipped Batch
Azure Blob
TRE Storage


……
TRE ……

27
Nexus Western US

Payload Token
Azure

Zipped Batch
Azure Blob Data Retriever

TRE Storage


……
TRE ……

28
Nexus Western US

Payload Token
Azure

Zipped Batch

TRE Storage


……
TRE ……

29
Nexus Western US

Payload Token
Azure

Zipped Batch

TRE Storage


……
TRE ……

30
Nexus Western US

Payload Token
Azure

Zipped Batch Universal Forwarder

TRE Storage
Data Retriever
Data Retriever

……
TRE ……

Office Apps Nexus Global Stamp Splunk

Nexus Western US

Payload Token
Azure

Splunk
TRE
Azure Blob
Storage
Data Retriever Scripted
Data Retriever

Data Retriever Input

……
TRE ……


Nexus Western US

Payload Token
Azure


TRE Storage
Data Retriever
Data Retriever

……
•  6.2.3 Universal Forwarders
TRE …… •  100 instances of D12’s

•  4 cores, 28 GB RAM, local SSD

Nexus Western US

Payload Token
TRE
Azure Indexer Cluster
Processor Event Hub

Zipped Batch Universal Forwarder Indexer
Indexer
Indexer
TRE Storage
Data Retriever
Data Retriever

……
TRE ……


Nexus Western US

Payload Token
TRE
Processor Event Hub

Indexer
Indexer
TRE Storage
Data Retriever
Data Retriever

……
TRE …… •  50 instances of G4’s

•  16 cores, 224 GB RAM, 3TB SSD

Nexus Western US

Payload Token
TRE
Processor Event Hub

Indexer
Indexer
TRE Storage
Data Retriever
Data Retriever

……
•  Uneven data distribuCon
TRE …… across indexers


Nexus Western US

Payload Token

Zipped Batch Indexer
Indexer
Indexer
TRE Storage


……
•  Removed forwarder Cer
TRE …… •  Ran connector exe directly on

indexers

Nexus Western US •  Ensured uniform data
distribuCon
Token
TRE
Payload Azure Indexer Cluster •  600 parCCons
Processor Event Hub

Indexer
Indexer
TRE Storage


……
TRE ……


Nexus Western US

Payload Token

Indexer
Indexer
TRE Storage


……
•  Single cluster master with RF = 1, SF = 1
TRE …… •  300 instances of DS14’s
•  16 cores, 112 GB RAM
•  Cluster bundle push problem
Nexus Western US

Payload Token

Indexer
Indexer
TRE Storage

S
Nexus South East Asia S
S

……
•  Sub-‐opCmal search performance with Azure standard storage
TRE ……


Nexus Western US

Payload Token

Indexer
Indexer
TRE Storage

PS
Nexus South East Asia PS
PS

……
•  4TB Premium Storage, (Raid0, 4 discs * 1TB each)
TRE …… •  Indexing 2000+ MB/s

•  25,000 IOPS

Nexus Western US

Payload Token
Azure Indexer Cluster Search Head Cluster

Zipped Batch Indexer Search Head
Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
Nexus South East Asia PS PS
PS PS

……
…… •  30 instances of D14v2’s
TRE
•  16 cores, 112 GB RAM

Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
•  Search Deployer used for cluster
TRE …… configuraCon


Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
•  Connected to corpnet for Office engineers
TRE …… in Seamle
•  IncorporaCng Azure AcCve Directory
(AAD) in Splunk 6.4
Office Client Splunk -‐ Metrics
Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
TRE ……


Data access
Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
TRE ……


Data access: 24hrs+ down to 30min, most of the Cme < 5min
Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
TRE ……


MTTD
Nexus Western US

Payload Token

Indexer Search Head
Indexer Search Head
TRE Storage

PS PS
PS PS

……
TRE ……


MTTD: Several days down to 6hrs, most of the Cme < 30min
Agenda
  Azure IaaS
  Provisioning & AutomaNon
49
Provisioning & AutomaCon
Cloud Provisioning Tools
Powershell, Chef, Puppet for machine provisioning
  ARM templates for deployment provisioning

–  Available via Portal, CLI or Powershell
51

Windows Azure Powershell

PS used extensively to manage Azure instances
Import “Azure PowerShell” module

•  Deployment: Remotely provision various Splunk roles
•  ConfiguraCon: Modify Splunk system local configuraCon files
•  Manage: Install criCcal Windows Updates as well as planned maintenance
•  Storage: Amach Premium Storage disks, format & create single volume
52
Windows Azure Powershell -‐ Example
Storage
Amach premium storage disks, format & create single volume

Ø  $PhysicalDisks = Get-‐StorageSubSystem -‐FriendlyName "Storage Spaces*" |
Get-‐PhysicalDisk -‐CanPool $True | Where-‐Object {$_.FriendlyName -‐ne
"PhysicalDisk0"}
Ø  New-‐StoragePool -‐FriendlyName "SplunkPool" -‐StorageSubsystemFriendlyName

"Storage Spaces*" -‐PhysicalDisks $PhysicalDisks |New-‐VirtualDisk -‐
FriendlyName "SplunkDisk" -‐Interleave $StripeSize -‐NumberOfColumns
$DiskCount -‐ResiliencySettingName simple -‐UseMaximumSize |Initialize-‐Disk
-‐PartitionStyle GPT -‐PassThru |New-‐Partition -‐DriveLetter H -‐
UseMaximumSize
Ø  Format-‐Volume -‐DriveLetter H -‐FileSystem NTFS -‐NewFileSystemLabel

"SplunkData" -‐AllocationUnitSize 65536 -‐Confirm:$false
53
Azure ARM Templates
  Automated deployment provisioning via ARM templates

  Deploy via Azure portal, Azure PowerShell or Azure CLI:
$ azure group create –n SplunkRG -l "East US"
$ azure group deployment create -n SplunkCluster -g SplunkRG \

-f azuredeploy.json -e azuredeploy.parameters.json
54
Splunk Enterprise in Azure Marketplace
Demo Time
55
Agenda
  Azure IaaS
  Azure Best PracNces
56
Azure Best PracCces
Best PracCces -‐ Scalability
  MulCple Storage Accounts

–  Standard storage: 20,000 IOPS limit per account
ê  No more than 40 disks per standard storage account
–  Premium storage: 50 Gbps limit per account
  Tiered Storage
–  Use both standard & premium for hot/cold data Cering
ê  OpCmal performance & cost tradeoff
58
Best PracCces -‐ Availability
  Azure Availability Sets
–  VMs on different update & fault domains
  Backup
–  VHD Snapshots
–  Azure Blob storage
  Archive
–  Archive indexes with Hunk into HDFS-‐compaCble Azure Blob Storage
59
Technical Brief -‐ Splunk on Azure
hmps://www.splunk.com/pdfs/technical-‐briefs/deploying-‐splunk-‐enterprise-‐on-‐microso=-‐azure.pdf
60
Agenda
  Azure IaaS
Splunk & Azure IntegraNons
61
Splunk Enterprise SSO support for Azure AD as of 6.4
Splunk Add-‐on for Microso= Cloud Services
Splunk Add-‐on for Azure
63
What Now?
Related breakout sessions and acCviCes…
Splunking Azure: Gain Insights into your MicrosoK Azure Data using Splunk
by Jason Conger & Cory Fowler (Wed Sep 28, 4:35-‐5:20pm)
Splunks of War: CreaNng a beRer game development process through data
analyNcs by Phil Cousins (Tue Sep 27, 3:15-‐4:00pm)
64
THANK YOU
Example Deployment
16 concurrent users

1 TB/day
4 months retenCon
66
Example Clustered Deployment
8 concurrent users

500 GB/day
60 days retenCon
67

Deploying Splunk Enterprise On Microsoft Azure Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deploying Splunk Enterprise On Microsoft Azure Cloud

Uploaded by

Copyright:

Available Formats

Copyright

© 2016 Splunk Inc.

Deploying Splunk Enterprise On

Deploy, manage & integrate your Splunk

• 4 Years @ Splunk • 14 Years @ Microso=

Top IaaS market leaders

Available in 24 Regions

VM Disks: VM Size RecommendaCon:

VHD stored as Page Blob in Azure Storage

Disk Type IOPS Throughput

Oﬃce Apps Nexus

Nexus South East Asia

Oﬃce Apps Nexus Global Stamp

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Azure Blob Data Retriever

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Azure Blob Data Retriever

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Azure Blob Data Retriever

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp

Azure Blob Data Retriever

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

Azure Blob Data Retriever

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

TRE Nexus Eastern Europe

TRE …… • 50 instances of G4’s

Oﬃce Apps Nexus Global Stamp Splunk

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

Nexus South East Asia

TRE Nexus Eastern Europe

Oﬃce Apps Nexus Global Stamp Splunk

Oﬃce Apps Nexus Global Stamp Splunk

Oﬃce Apps Nexus Global Stamp Splunk

Oﬃce Apps Nexus Global Stamp Splunk

Oﬃce Apps Nexus Global Stamp Splunk

Oﬃce Apps Nexus Global Stamp Splunk

•  4 Years @ Splunk •  14 Years @ Microso=

  Top IaaS market leaders

  Available in 24 Regions

  VM Disks:   VM Size RecommendaCon:

  VHD stored as Page Blob in Azure Storage

TRE …… •  50 instances of G4’s

  ARM templates for deployment provisioning

Ø  New-‐StoragePool -‐FriendlyName "SplunkPool" -‐StorageSubsystemFriendlyName

Ø  Format-‐Volume -‐DriveLetter H -‐FileSystem NTFS -‐NewFileSystemLabel

  Automated deployment provisioning via ARM templates

  MulCple Storage Accounts