Getting Data In

What are the system requirements for an AMI Linux VM Heavy forwarder running Splunk 6.2.6?

grimesrichard
New Member

Hi All,

We are trying to size an AMI Linux VM Heavy Forwarder for a new installation of 6.2.6 and have found the Splunk recommended system requirements of 2x six-core, 2+ GHz CPU, 12 GB RAM at the following link: http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Systemrequirements#Recommended_hardware but there is no specific mention of the requirements for a Heavy Forwarder anywhere that we can find in any Splunk documentation.

We have found high level reference to the fact a forwarder can be of a lower spec that the above as it will not be doing as much indexing as an indexer, but no quantification as to what that less may be...

Any guidance or advice that anyone can provide would be much appreciated.

Thanks

0 Karma
1 Solution

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

View solution in original post

0 Karma

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

0 Karma

grimesrichard
New Member

Thanks Javiergn,

We ended up using another windows HF spec as a place to start and will monitor performance.

I think your approach to using other working instances as a base for comparison is the best answer at this time so I've accepted your answer.

Apologies for the delay in the response.

Cheers

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...