Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Aggregating WinEventLogs from 2,000 XP machines, total daily volume 20GB

garfieldconnoll
Explorer
‎10-05-2011 12:19 PM

Hi,

So we've 2,000 XP machines generating c.20GB of WinEventLogs. For compliance reasons, we want to log it centrally.

We're considering using universal forwarders on each machine and then using 2- 4 intermediate forwarders to aggregate onto a single indexer.

I've read else where about suggested max ratio of 1000: 1 forwarders to indexer and even of an example of 6000:1 in a similar use case.

If we do use intermediate forwards, what sort of spec should we look at?

Thanks,

G.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-05-2011 01:20 PM

You don't need intermediate forwarders. Go directly to the indexers. I don't know where you're reading about this, but there is no Splunk limit anywhere near as low as 1000 or even 6000 forwarders to an indexer. (The server OS or network settings, however, may have limits configured in that may have to be found and lifted.)

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-05-2011 01:20 PM

You don't need intermediate forwarders. Go directly to the indexers. I don't know where you're reading about this, but there is no Splunk limit anywhere near as low as 1000 or even 6000 forwarders to an indexer. (The server OS or network settings, however, may have limits configured in that may have to be found and lifted.)

Reply
Solved! Jump to solution

garfieldconnoll
Explorer
‎10-05-2011 01:36 PM

Thanks for the prompt response. Not sure where I found the 1000 reference, but the 6000 example came from here on Answers.
Would a single deployment server be sufficient (if we set the phone home function to 600- 1200 seconds)?

Regards,

G.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...