Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How many gateways can be deployed for 5000 collectors?

Eshwar
Engager
‎06-04-2023 10:35 PM

Hi Community

Please suggest how many gateways can be deployed for 5000 collectors?

Labels (1)
Labels
0 Karma
Reply

Eshwar
Engager
‎06-05-2023 12:53 AM

Hi @gcusello ,

We are trying to replicate below architecture where in OTEL collector will be installed on target servers and all OTEL collectors will be pointed to Gateway server. So, we would like to know here that how many gateways are required.

https://docs.splunk.com/Observability/gdi/opentelemetry/deployment-modes.html#collector-gateway-mode

0 Karma
Reply

Eshwar
Engager
‎06-05-2023 12:12 AM

Hi @gcusello ,

My question is with respect to Splunk Observability Cloud. We have around 5000 client server to redirect gateway so please let us know how many gateways are required in this architecture and the capacity with respect to volume of data, how much data can process by gateway?

Regards,

Eshwar

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-05-2023 12:27 AM

Hi @Eshwar,

ok, you're speking of Heavy Forwarders to use as concentrators to collect all the logs from your on-premise architecture to Splunk Observability Cloud.

The number of HFs depends on the following factors:

  • they must be at least 2 to avoid single points of failure,
  • how many GB you have to transfer daily and in the peak points,
  • if you demand to HFs some parsing activities (and usual this happens),
  • if you have only one exit point from your network to Splunk Observability Cloud,
  • i you have more segregated networks and you want to avoid to open the connections from them to the HFs or to Splunk Cloud.

The most important factor is the data volume, not the number of target servers: how many events you send to Splunk Observability Cloud in the Peak hours?

In my experience, I hint to start with two HFs, configurated with the correct hardware reference and the correct setup to avoid queues, then you can analyze the load on these servers and the presence of queue or delays in indexing.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-04-2023 11:21 PM

Hi @Eshwar,

what do you mean with Gateway and Collector?

If you mean sgent for Gateway, in Splunk thay are called Universal Forwarders and they are installed one in each terget server.

The UFs can directly send their logs to Indexers or they can be concentrated in intermediate Heavy Forwarders (your Concentrators?) .

There's no licence for both the kinds of Forwarders, and you pay only for the daily indexed log volume.

For more infos you can download the "Splunk validated Architectres" doc (https://www.splunk.com/en_us/resources/splunk-validated-architectures.html?locale=en_us) or see at https://docs.splunk.com/Documentation/SVA/current/Architectures/Introduction .

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...