I would like to find out if there's a recommended value for no of universal forwarders to connect to a receiver. We have about 130 end-user computers to monitor. Is it a good idea to connect them all to one receiver at one port? If not, what's the best practice, or the minimal system requirement for the receiver machine?
130 forwarders is no problem. The limits lie in the operating system's ability to create sockets rather than what Splunk itself can cope with. See the excellent answers to a very similar question here: http://splunk-base.splunk.com/answers/4097/is-there-a-maximum-number-of-forwarders-per-indexer
Thanks Ayn. My splunk server is on windows 2008 R2 platform, using Intel Xeon CPU E5450 @3GHz (2 processors) and 16 GB RAM. Any comments on this spec?