Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexer Sizing

msaleh7422
Engager
‎01-28-2026 02:23 AM

We would like your guidance on how to calculate the required number of Splunk indexers for our environment.

Currently, our estimated data ingestion rate is approximately 1 TB per day. We would appreciate it if you could advise on:

  • The recommended number of indexers needed for this ingestion volume

  • I Have multi site deployment
    #splunk
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-28-2026 09:17 AM

This is the kind of question you go to your local friendly Splunk Partner with, not some randoms on the internet.

There are many factors possibly affecting your environment size and overall architecture - search load, retention, HA requirements...

And if someone here tells you "you need 3 indexers" will you run and issue a procurement order based on this? And what if it happens to be undersized? Or the opposite - it will turn out to be mostly idle and you have paid throught the nose for the hardware?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2026 05:59 AM

Hi @msaleh7422 ,

a quick and dirty evaluation is:

  • one indexer every 200 GB/day og ingestion if you haven't a Premium App (ES or ITSI),
  • one indexer every 100-150 GB/day og ingestion if you have a Premium App (ES or ITSI).

in this second case, in ES training is described to use one indexer every 80 GB/day, but 100-150 GB/day is more correct value.

About CPUs, RAM and storage, you need a Capacity Plan that is very difficoult to do in Community: you need a Splunk Architect from a Splunk Partner.

Ciao.

 Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...