Carbon Black EDR supports a clustered configuration to allow horizontal scaling for larger deployments.

If the Total Event Data Volume calculated from Calculating Total Event Data Volume exceeds the capacity of a server’s event data volume (Server sizing chart based on event data volume Column 1), a single server does not meet the requirements. A clustered deployment is a set of servers (minions) that work together with a head node (primary) for horizontal scaling. Each minion and primary of a clustered deployment must conform to the same specifications of a single server deployment.

The number of minions that are required to support event data volume can be determined by dividing the value calculated in Calculating Total Event Data Volume by the supported event data volume of your server hardware (Server sizing chart based on event data volume, Column 1) and rounding up to the nearest integer. If the result is larger than two, an additional eventless primary node is needed.

The preceding table assumes that 6 TB server event storage size from Server sizing chart based on event data volume is used for each minion. However, if another server event storage size is chosen, corresponding data volume size (Server sizing chart based on event data volume, column 1) should replace the value of 6 TB in calculating the necessary number of cluster nodes.

For example, if the deployment is for 25,000 Windows workstations and 3,500 Windows servers, an estimated data volume for 25 days of retention is:

(25000 * 7800 + 3500 * 10750) * 3.6KB * 25 days ~ 19.5TB

Because this value is larger than 6 TB, the required number of minions in the clustered deployment must be at least four (plus one primary node). Alternatively, a two-minion and one-primary node cluster can be configured, with each using the 10.5 TB data configuration.