Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexer Sizing

msaleh7422
Engager
‎01-28-2026 02:23 AM

We would like your guidance on how to calculate the required number of Splunk indexers for our environment.

Currently, our estimated data ingestion rate is approximately 1 TB per day. We would appreciate it if you could advise on:

  • The recommended number of indexers needed for this ingestion volume

  • I Have multi site deployment
    #splunk
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-28-2026 09:17 AM

This is the kind of question you go to your local friendly Splunk Partner with, not some randoms on the internet.

There are many factors possibly affecting your environment size and overall architecture - search load, retention, HA requirements...

And if someone here tells you "you need 3 indexers" will you run and issue a procurement order based on this? And what if it happens to be undersized? Or the opposite - it will turn out to be mostly idle and you have paid throught the nose for the hardware?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2026 05:59 AM

Hi @msaleh7422 ,

a quick and dirty evaluation is:

  • one indexer every 200 GB/day og ingestion if you haven't a Premium App (ES or ITSI),
  • one indexer every 100-150 GB/day og ingestion if you have a Premium App (ES or ITSI).

in this second case, in ES training is described to use one indexer every 80 GB/day, but 100-150 GB/day is more correct value.

About CPUs, RAM and storage, you need a Capacity Plan that is very difficoult to do in Community: you need a Splunk Architect from a Splunk Partner.

Ciao.

 Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...