Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Hardware requirement for intermediate forwarder server

Thang_TV
Explorer
‎04-29-2021 08:52 PM

Hi Everyone,

I want to know hardware requirement for intermediate forwarder server. 

CPU, DISK, RAM.

Thanks !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-29-2021 10:27 PM

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-29-2021 10:27 PM

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Thang_TV
Explorer
‎04-30-2021 02:08 AM

Hi Giuseppe,

Thank for your helpful answer,

I have one more questions, please clear it for me:

1. Does only HF support intermediate forwarder ? how about Universal forwarder ?

2. When intermediate forwarder received logs like: Syslog from Firewall, IPS, Router.... and other log from universal forwarder. What will the intermediate forwarder do ? 

- Storage the log and forward to Indexer, after that, deleted the logs ?

- Just forward the log, not storage logs ? 

Thanks ! 

@gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-30-2021 02:19 AM

Hi @Thang_TV,

you can use also an Universal Forwarder as Intermediate Forwarder, but I don't like it, I prefer HF.

Then remember always to use always at least two HFs as Intermediate to avoid Single Point of Failure.

Intermediate Forwarder usually doesn't locally index logs becaus in this way you pay twice license!

For this reason you don't need large storages on HFs.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Thang_TV
Explorer
‎04-30-2021 03:11 AM

Hi @gcusello ,

Thank bro,

very helpful.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-30-2021 03:13 AM

Hi @Thang_TV,

good for you, see nect time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...