https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549952#M91334 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233999">@Thang_TV</a>,</P><P>there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.</P><P>If you have availabilità it's better to give these resources to your virtual machine.</P><P>If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.</P><P>The thing to analyze are: log parsing and eventual management of external syslog output queue.</P><P>In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.</P><P>About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 30 Apr 2021 05:29:56 GMT gcusello 2021-04-30T05:29:56Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549949#M91333 <P>Hi Everyone,</P><P>I want to know hardware requirement for intermediate forwarder server.&nbsp;</P><P>CPU, DISK, RAM.</P><P>Thanks !</P> Fri, 30 Apr 2021 03:52:54 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549949#M91333 Thang_TV 2021-04-30T03:52:54Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549952#M91334 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233999">@Thang_TV</a>,</P><P>there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.</P><P>If you have availabilità it's better to give these resources to your virtual machine.</P><P>If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.</P><P>The thing to analyze are: log parsing and eventual management of external syslog output queue.</P><P>In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.</P><P>About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 30 Apr 2021 05:29:56 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549952#M91334 gcusello 2021-04-30T05:29:56Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549971#M91337 <P>Hi Giuseppe,</P><P>Thank for your helpful answer,</P><P>I have one more questions, please clear it for me:</P><P>1. Does only HF support intermediate forwarder ? how about Universal forwarder ?</P><P>2. When intermediate forwarder received logs like: Syslog from Firewall, IPS, Router.... and other log from universal forwarder. What will the intermediate forwarder do ?&nbsp;</P><P>- Storage the log and forward to Indexer, after that, deleted the logs ?</P><P>- Just forward the log, not storage logs ?&nbsp;</P><P>Thanks !&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P> Fri, 30 Apr 2021 09:08:16 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549971#M91337 Thang_TV 2021-04-30T09:08:16Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549973#M91339 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233999">@Thang_TV</a>,</P><P>you can use also an Universal Forwarder as Intermediate Forwarder, but I don't like it, I prefer HF.</P><P>Then remember always to use always at least two HFs as Intermediate to avoid Single Point of Failure.</P><P>Intermediate Forwarder usually doesn't locally index logs becaus in this way you pay twice license!</P><P>For this reason you don't need large storages on HFs.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 30 Apr 2021 09:19:27 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549973#M91339 gcusello 2021-04-30T09:19:27Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549976#M91342 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>Thank bro,</P><P>very helpful.</P> Fri, 30 Apr 2021 10:11:14 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549976#M91342 Thang_TV 2021-04-30T10:11:14Z https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549978#M91343 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233999">@Thang_TV</a>,</P><P>good for you, see nect time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 30 Apr 2021 10:13:11 GMT https://community.splunk.com/t5/Getting-Data-In/Hardware-requirement-for-intermediate-forwarder-server/m-p/549978#M91343 gcusello 2021-04-30T10:13:11Z