Deployment Architecture

Reasons for NEEDING minimum hardware requirements

Path Finder

Hello Fellow Splunkers!

Can someone please explain the need for deploying Splunk with the minimum hardware requirements? If the specs are reduced is their data loss or just lagging?

I constantly get this question and have not been able to find anything on it in the Splunk documentation.


Thanks in advance for the help!

Labels (2)



Splunk want to ensure that your hardware is "enough powerful" to do the base processing and for that reason they have defined some example configurations which fulfil that requirement. In real life especially in small environments (both single node and distributed) you could start with smaller if needed. The most important thing is enough IOPS from disks. 

You should just estimate your real needs and then create needed virtual or physical hardware for that. When you are using virtual you could easily start with smaller instance(s) and add capacity and instances as needed, but remember the IOPS needs!

r. Ismo

Ultra Champion

You would get a slow-working environment. Your searches might be delayed or skipped. In some cases I believe you could face some data loss if Splunk got "clogged" with events on input.

0 Karma
Get Updates on the Splunk Community!

Events has wrong timestamp, How to correct time config?

Hello Splunkers, I've an issue with my event time configuration. It has incorrect timestamp. Below are my ...

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

What is the use drop_dm_object_name() clause in a query with tstats.?

I am trying to find out what purpose drop_dm_object_name() serves.