Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how many forwarder can report to same indexer?

lihongyan_84
Explorer
‎08-16-2011 08:51 PM

Is there a maximum number of forwarders that a single indexer can support?

Tags (1)
Reply

ftk
Motivator
‎08-16-2011 11:19 PM

You are not necessarily limited by the number of forwarders per indexer, but rather by the amount of data your indexer can ingest. If your server for example is capable of indexing at ~70 MB/minute, and your indexers send 0.5 MB/minute, you can expect roughly 140 forwarders per indexer. It is however likely that your forwarders will send less data than that so the number of forwarders will likely be greater.

In the end it really comes down to the hardware of your indexer. I recommend taking a look at Hardware capacity planning for your Splunk deployment in the docs and estimating the amount of data you want to index to get an idea of how many indexers you will need to support your forwarders.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...