This is the kind of question you don't want to rely on answer from some randos from internet on. This is something you want to work with your local Splunk Partner with so that you have some papers to back your sizing if anyone from management wants for justification of the cost or for where the performance problems come from. They will also ask some difficult questions about your data, your workload and so on which we in the community might not have time to think about and you might not be eager to share answers to with the whole world. So while we can discuss the general principles of sizing environments freely here I'd suggest engaging professional help for a specific project.

Hi at all,

I agree with all the considerations from  @0xAli, there's only one additional information:

the sizing of using an indexer every 80-100 GB/day to index: this sizing arrives from the Enterprise Security Admin Course, but it isn't in any Splunk official documentation, infact working with the Splunk PS I received by them a different sizing: they hinted to use 150 GB/day per Indexer and, having very performant physical servers, also 200-250 GB/day per Indexer (this is the sizing from a Splunk architect of a project that I'm implementing ).

What is the correct answer?

I usually try to request a sizing to Splunk SE to be sure, if I must do the sizing by myself I use 150 GB/day per Indexer.

Ciao.

Giuseppe

Hey 0xAli — quick version: ES is what drives your sizing, not the 130 GB/day. Correlation searches and accelerated data models hit CPU and disk IOPS far harder than plain indexing, so size for the search load.

Rough starting point:

• Indexers — plan ~80–100 GB/day each with ES (vs. ~300 for plain Splunk), so 130 is ~2 indexers of load. With RF2 and wanting to survive a node loss, make 3 your floor. 16 cores / 32 GB each on SSD/NVMe. On ES, IOPS bites before CPU does.
• ES search head — give it its own dedicated box, nothing else co-located. 16 cores / 32–64 GB, scaled up as correlation/acceleration load grows.
• Ad-hoc SH — separate from ES, sized to your concurrent-user count (roughly a core per active search).
• HFs + CM / LM / DS — easy at this volume. The single-instance reference spec is fine; just scale the DS by how many forwarders phone home.

One design note: pointing network gear straight at an HF over UDP syslog drops events under load. Put SC4S (or syslog-ng/rsyslog writing to disk with a UF reading it) in front instead.

For real procurement numbers, don't eyeball it — run your inputs through a sizing calculator, match the topology against the Validated Architectures, and for an ES build it's worth a quick capacity-planning session with Splunk PS or a partner before you buy.

Docs worth referencing:

• Reference hardware (core/RAM baselines)
• Summary of performance recommendations
• Estimate your storage requirements
• ES performance reference
• Splunk Validated Architectures
• Splunk Lantern – platform capacity considerations
• Storage sizing calculator
• Splunk Connect for Syslog (SC4S)