Hi all! I am Charles from Hong Kong and new to Splunk. Hello everyone!
My boss asked me to fully utilize our newly installed Splunk Indexer and Heavy Forwarder by installing as much Splunk Apps as it can. However, the indexer has only been assigned 8 core CPU and 500GB of storage, where my Splunk vendor suggested me to assign 24 core CPU to it (impossible!!) I am worrying that if I installed too much apps on the indexer will result in degrading the performance of Splunk, or even crash the system.
Any of you have such experiences on how to estimate the largest possible numbers of Splunk apps that can be installed and can share with me please? Thanks!
P.S. Our indexer currently receiving around 10 GB of data per day.
I am surprised how Splunk recommended you 24 cores for Indexers. The proven recommendation is to have multiple small chunks as indexers and off course fast disks and high I/O.
search heads : these guys need more horse power : 24 cores, whatever max RAM you could get is better.
indexers : fast disks , high I/O (example, if you plan to index 500GB / day, i would start with a min of 4 indexers with magic 12s (12 core, 12 RAM and a min 1200 IOPS)
As far as the app/add-on load, if the app comes with a ton of custom extractions (check props, transforms etc) it is going to add extra load for sure. Also depends on the type of data you are consuming. i have seen some radius type logs with 170 kv pairs in each event. Several factors that could add load and experts from this forum can explain you better.