Hello Splunk Team.

Kindly asking your assistance and recommendation for EC2 instances. We are working with Splunk services and forwarding the data from various AWS accounts to the on-prem datacenter. Now we have a task to scale the EC2 instances because of the enormous increase of the data that we will be sending. We are using the Autoscaling group and three EC2 instances(c5.4xlarge) with installed and configured Splunk Heavy Forwarder. We are not using any indexers and not storing the data, just forwarding. Currently, we are not forwarding much data ~ 100Mb per day, but it will be increased up to 70Gb per day, and the question is what the proper way of scaling AWS EC2 instances. As I mentioned we are using the Autoscaling group and we can configure to scale-out instances based on the memory usage since Splunk requires a lot of RAM, but at the same time, we don’t quite sure about the timing of scaling and data flow. Data might be sent based on triggers in another AWS Account and we cannot predict that, so it might be a good idea to just scale the instances based on the information of instances performance and network flow. So currently each instance acquiring around 25-30% of the 16 Gb Ram without any spikes. I calculated an approximate prediction of how much Ram will be required for this upgrade for each instance and noted those instance types:

r4.4xlarge 16 58 122 GiB

r4.8xlarge 32 97 244 GiB

r5.4xlarge 16 70 128 GiB 

r5.8xlarge 32 128 256 GiB

So, what do you think r4/r5 instance types would be able to handle such data forwarding increase or we need to find some other proper solution? Maybe you make some recommendations based on similar cases. The main question is how much RAM Heavy Forwarders will consume based on this information.

Thanks!