Getting Data In

Universal Forwarder hardware specs

konstr
Path Finder

We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud.
The 3 UFs will be receiving data from 3 Heavy forwarders which will load-balance data across the intermediary forwarding tier.

The intermediary tier has to be there due to networking reasons that we cannot overcome which are not allowing the Heavy forwarders to forward to Splunk Cloud directly.

What specs should we be looking for the UFs of the intermediary forwarding tier considering a license of 600GB/day? The license would be split through the 3 UFs but in case of failure, each UF should be spec'd to be able to forward the full load.

Would something like 4 CPU cores and 8GB RAM be enough?

0 Karma

gcusello
Legend

Hi @konstr,
the intermediary forwarding tier consists of 3 Universal Forwarders or 3 Heavy Forwarders?
Before you spoke of UFs and after of HFs!
Anyway, it's better to use HFs.

The HW reference of these HFs depends on the job they have to do: if they only have to concentrate logs, it's a very too light configuration, but it could run (eventually at least 8 CPUs) and you could also use UFs instead of HFs; if instead you have to filter and transforms logs, you have to give more resources to your HFs.

Amyway, there isn't a clear definition of HW reference for HFs, if it isn't a problem, give the standard resources asked by Splunk for Stand Alone servers (12 CPUs and 12 GB RAM).
Eventually use only two HFs but giving the correct resources!

Ciao.
Giuseppe

0 Karma

konstr
Path Finder

the intermediary forwarding tier will consist of 3 UFs receiving data from 3 HFs. So basically the UFs will just receive data and forward on to Splunk Cloud.

Unfortunately we are not able to use the 3 HFs to send directly to Splunk Cloud due to networking reasons hence why we need the intermediary forwarding tier.

Would you say that 4 cores and 8GB RAM for the UFs will not be enough?

0 Karma

gcusello
Legend

Hi @konstr,
it's a very strange architecture to have HFs that send data to UFs, usually it's the opposite: UFs are installed on target servers, they tale logs and send them to HFs that forward to Indexers or Splunk Cloud.

Anyway, yes, they should be enough.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...