Requirements for TrackMe

Target for deployments

For Splunk Enterprise customers

For Splunk on-premise customers, we recommend to deploy TrackMe on:

  • A dedicated Search Head or Search Head Cluster, especially if you intend to monitor a large number of environments or if you are a large scale Splunk customer

  • Alternatively, you can deploy TrackMe on the instance used for the purposes of the Splunk Monitoring Console

Splunk premium applications

  • We do not support colocating TrackMe with any of the Splunk premium applications (Splunk Enterprise Security, Splunk ITSI)

  • The reason is that both TrackMe and premium applications can have heavy requirements in term of workload, and TrackMe could therefore slightly impact these products

For Splunk Cloud customers

From Splunk Cloud Victoria, applications are deployed through self-services equally on all Search Heads, including Premium applications Search Head:

  • When deploying TrackMe on Splunk Cloud, the application will be deployed automatically on all Search Heads, including your Premium application Search Heads, if any

  • However, a virgin deployment of TrackMe has no workload as long as there are no Virtual Tenants created

  • TrackMe should be configured and used from the first Search Head tier of your Splunk Cloud stack, commonly called the Ad-hoc Search Head tier

Splunk premium applications

  • Similarly to on-premise deployments and while TrackMe is deployed on the premium applications Search Heads, we do not support running TrackMe on these Search Heads

  • The reason is that both TrackMe and premium applications can have heavy requirements in term of workload, and TrackMe could therefore slightly impact these products

System requirements for the use of TrackMe

Supported Operating Systems

TrackMe is supported on any flavour of:

  • Linux

  • MacOS

Currently, running TrackMe on Windows Operating Systems is not supported, although this might be the case in the future.

Containerized computing platforms

Similarly to Splunk Enterprise, running TrackMe on containerized environment is supported:

Resources requirement

The requirements for TrackMe in term of CPU slightly relies on its usage and configuration, the main factors are:

  • If the Splunk instance hosting TrackMe is itself more than a Search Head (if the instance is as well an indexer for instance in the case of all in one Splunk instance, which is not recommended)

  • The number of enabled TrackMe Virtual Tenants

  • The number of enabled Hybrid, Flex and Elastic Trackers

  • The number of entities monitored, which influence factors like the number of Machine Learning models to be created and maintained for instance

  • The repartitions between local tracking and Splunk Remote Searches tracking, which influence how much the load is shared between the local instance and the remote Splunk deployments, if any

  • The number of active users, the more users are actively using TrackMe, the less search slots are available for the back-end purposes

Minimum CPU requirements:

  • We recommend a minimal setup of 8 vCPUs for running TrackMe in a Production context

  • As a basis, a Virtual Tenant requires as an average 1 vCPU for running properly

  • Depending on the number of trackers, and their performance quality (for instance if use essentially high performing and well designed searches), a single Virtual Tenant can require more computes

  • A more recommended setup for running TrackMe at large scale in Production is 16 vCPUs ore more

Memory and Disk Performances:

Applications dependencies

TrackMe requires the following applications to be deployed and available on the instance hosting TrackMe:

note: The Splunk Machine Learning toolkit itself requires the Python Scientific package, TrackMe relies on the ML Toolkit for the management of Machine Learning models.

Shall any, or all of of the dependencies not being met, TrackMe will refuse to load the Virtual Tenant User Interface and show the list of missing applications, such as:

screen1.png