All Apps and Add-ons

If deploying a Splunk instance that will index 500Gb/Day, what would be the recommended architecture for this type of environment?

New Member


Need your help/suggestion on deploying High Availability (HA) Splunk architecture on our private AWS cloud system.

We are planning to setup new Splunk instance with 500GB/Day indexing on private AWS system. So we need suggestions to deploy HA Splunk Architecture, please share the architecture details and with size planning and also need details like below.

Search Head – #No of SH CPU/Memory/Storage?
Indexer – #No of indexers and CPU/Memory/Storage?
Deployment Server – # No of DS and CPU/Memory/Storage?
Heavy Forwarders – #No of HF and CPU/Memory/Storage?

And required clustering for SH and Indexers and some more info would be helpful. Since going through couple of documents but getting confused and its my first attempt for big setup from scratch. So please help me with above details.


0 Karma


We have the same license amount and currently run an AWS solution as well, so here are our specs as an example for you, please note that we use Splunk Enterprise Security so I've substituted M4 instances for C4 instances where they would be more appropriate without ES (I did it so it wouldn't moan about RAM).

4 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk", 3 TB GP2 Volume "/data/splunk_hot", 8 TB ST1 Volume "/data/splunk_cold", 1 TB ST1 Volume "/data/splunk_frozen" ~ 9 months live retention based on our current loads).

Search heads:
1 x C4.4xlarge (100 GB GP2 Volume "/opt/splunk") - General Use
1 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk") - Enterprise Security

Cluster Master Server:
1 x C4.xlarge (100 GB GP2 Volume "/opt/splunk")

Multisite - true
2 indexers and 1 sh per site, sites are defined by AWS Availability Zones, Master sits on site1
All indexes are replicated, rep factor is origin:1, total:2 for rep and search factor.
Summary replication - true
UseACK for forwarders - true

I've not listed other devices as they're not relevant to our setup, things like deployment servers and heavy forwarders are defined more by process requirements/geolocation for my Org (we have both cloud and on prem forwarders). The above core system handles search load for ~20 non security users, ~12 security users, and the system search load.

0 Karma

New Member

Thanks everyone for your response!

Hi goodsellt,

As you suggested with your AWS setup configuration, below configs am gonna send to my seniors. But could you please share your thoughts on below comments?

Search Head : "2 X C4.4xlarge (150 GB GP2 Volume ""/opt/splunk"")". Will not be using Splunk ES for now.

Indexer :
"4 X M4.4xlarge
(100 GB GP2 Volume ""/opt/splunk"",
3 TB GP2 Volume ""/data/splunk_hot"",
8 TB ST1 Volume ""/data/splunk_cold"",
1 TB ST1 Volume ""/data/splunk_frozen"" )"

Deploy Server we might require
"1 X C4.xlarge (100 GB GP2 Volume ""/opt/splunk"")"

Cluster Master

"1 X C4.xlarge (100 GB GP2 Volume ""/opt/splunk"")"
this cluster master can we use it for both SH and Indexer?

Heavy Forwarder - #No of server and which AWS instance would be sufficient ? we have around 20 data sources as of now.


0 Karma

Splunk Employee
Splunk Employee

I would recommend reviewing the following doc that gives some general guidance on how to plan out the deployment:

Sr. Technical Support Engineer
0 Karma

Revered Legend
0 Karma


Congrats on your first setup! there are some vaiables missing in order to give a full solution such as: How many users? How many clients (forwarders)? what are the data sources? what are scaling considerations? and more.
Plenty of answers are in the docs:
this presentation from .conf is a good resource as well:
Regardless, I Will recommend to contact your Splunk SE to help with best practices and solution.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!