Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can we downsize our indexer cluster?

LovingSplunk
Path Finder
‎03-12-2026 07:36 AM

We are at 10 indexers ingesting around 400 GBs/day. A homogeneous environment with 1 millisecond wait time (I/O Write). How many indexers is it safe to cut?

Labels (3)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-12-2026 08:32 AM

There is no single answer for such question. It mostly depends on your _search_ load. Your ingest volume could be even handled with a single indexer but the search performance would be terrible. So it's mostly about how you're using your Splunk stack. (and obviously how much flexibiity you want/need regarding fault resistance.

0 Karma
Reply

LovingSplunk
Path Finder
‎03-16-2026 08:37 AM

Hi @PickleRick, we are at about 80k searches/day.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-16-2026 12:55 PM

Again - it depends on the overall load. I have around 6,5k searches on my lab Splunk instance which is very rarely and very lightly used so the number itself is no good indicator. Besides the number of searches it's very important what those searches do, how well (or badly) they are written and so on.

It's different to have 80k searches like "| makeresults | eval _raw="Hello world!"" and completely different to have 80k searches over last two years with heavy join use, badly written search terms, eventstats and so on.

So it's one of those cases where if you don't know on your own, it's best to involve someone with experience and access to your environment (which means either Professional Services or your local Splunk Partner)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2026 07:43 AM

Hi @LovingSplunk ,

it depends on many factors:

  • have you ES or ITSI?
  • have you a multisite architecture and each site must be able to ingest all the load?
  • how many scheduled searches are running on your indexers?

in general you could use one Indexer every 200 GB/day without ES or ITSI and one indexer every 100/150 GB/day with ES or ITSI, but, as I said, it depends on the above factors.

Ciao.

Giuseppe

Reply

LovingSplunk
Path Finder
‎03-12-2026 07:48 AM

Thank you for your response @gcusello. We have ES which is very lightly used in our environment. How can I assess the impact of ES on the environment?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2026 07:55 AM

Hi @LovingSplunk ,

as I said, the hardware specifications require a detailed design activity by a Splunk Architect with experience on ES implementation.

Anyway, at https://help.splunk.com/en/splunk-enterprise-security-8/install/8.4/planning/minimum-specifications-... you can find the minimum hardware requirements for on-premise installations, but they are related to the number of Detections to enable and active user.

Only one very important point of attention: be sure to use a very performant storage, with at least 800 IOPS, otherwise your infrastructure will be your first problem!

Check this point using Bonnie++ or another tool before installing Splunk!

Ciao.

Giuseppe

Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-13-2026 12:33 PM
I think that currently (un)official minimum is 1200 IOPS instead of 800. And actually it's better to get as much IOPS as you could get!
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-13-2026 01:58 PM

To be honest I've never been a fan of this IOPS requirement. It's very imprecise. What IOPS are we talking about? At what level? What size of request? So many questions, so few answers.

Reply

LovingSplunk
Path Finder
‎03-16-2026 08:28 AM

Hi @PickleRick, looking at the MC and our IOPS for 10 indexers is barely 300 and we are ingesting 400 GBs/day with those 10 indexers. How many can we cut safely?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-20-2026 03:33 PM

Hi @LovingSplunk .

as @isoutamo said: with 300 IOPS the only way is maintaining your ten IDXs!

Otherwise the performces of your system will be too low to support your system.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-20-2026 02:55 PM
If your IOPS is 300 per indexer you cannot cut anything before you get it back to min 800-1200. After that you can probably cut of more than half away.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-16-2026 08:52 AM

Hi @LovingSplunk ,

you can measure IOPS, stopping Splunk on one Indexer and running a tool like Bonnie++, don't use MC.

You must have at least 800 IOPS, better 1200 or more.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...