Hi Muebel,

Thank you so much for your inputs. That is really helpful. I have now gone through the specs and can see that as you have mentioned we should be able to run a large number of inputs depending on how the servers are set up.

So suppose I have 200 inputs and have 2 HWFs (assume 8core machines, 32GB RAM), would it be a good option to split 100 inputs each on the HWFs with a frequency of every 5 mins... I am expecting to receive a max of 500MB-1GB of data per day even with all inputs combined.

Lastly the documentation states that it would be best if we can schedule the inputs one after the other rather than running them concurrently to avoid consuming too much memory. I was wondering if this is possible as we only specify the frequency and not the time at which it has to run ? or does it depend on when we first start the inputs ?

You can stagger out the inputs with a non-overlapping cron schedule, that is, one batch runs at 5 mins past the hour, then next at 10 etc.

I would expect with that kind of hardware and that amount of data, you should be fine. A cautious approach would be to gradually add the inputs, spaced out as described above. Monitor the resource utilization of the involved databases as well as the splunk infrastructure. If you see any spike in resource utilization, you'll be able to easily track it down to a recent added input.

If you have found this answer helpful, please accept it, and otherwise let me know if I could clarify anything 😄

Thanks Muebel. I accepted the answer. Final question: to address failure scenario of a particular HWF in this scenario, should we backup the state periodically and import on the other server whenever required ?

yes, treat the forwarder as a snowflake that needs to be backed up and restored. By the way, http://blogs.splunk.com/2017/02/20/splunk-db-connect-3-released/ Performance characteristics are improved.