New Cluster Hardware descision

Hey folks,

we finally decided to order new hardware for our ES cluster. We are a IT-Security department and need the cluster to analyze "big" amount of log files in case of it security related incidents. The main problem is, that we do not know what kind logfiles we get until the incident occurs. Therefor we need a "general" ES cluster with the option to extend it within 1-2 years to the double size.

We are only allowed to decide between few preconfigured systems:
System 1:

• CPU 2620v4
• Cores 8
• Cache 20MB
• Freq 2,1GHz
• RAM 64GB
• HD 2x960GB SSD

System 2:

• CPU 1230v5
• Cores 4
• Cache 8MB
• Freq 3,4GHz
• RAM 32GB
• HD 1x960GB SSD

Based on our Budget we may buy:
6x System 1 OR
10x System 2

Aggregated we have to decide between:
CPU 2620v4
Cores 48
Cache 120MB
Freq 100,8GHz
RAM 384GB
HD 11,52TB

and

CPU 1230v5
Cores 40
Cache 80MB
Freq 136GHz
RAM 320GB
HD 9,6TB

The costs are equal. What would you recommend for a basic ES cluster?

Thank you
Andreas

If you have to decide between the two last servers I would take # 1. Esp after you state they are the same $$$.

CPU 2620v4 (a Gen down in CPU release but prob wont matter much here.)
Cores 48 More cores = more time slices,
Cache 120MB More cache
Freq 100,8GHz Less cpu freq (my servers are not having much CPU load.)
RAM 384GB More RAM (Elastic likes RAM)
HD 11,52TB Bigger drive (Probably about the same performance with more space)

This is my anecdotal experience. Others may have additional thoughts.

Mark