Getting Data In

What are the system requirements for an AMI Linux VM Heavy forwarder running Splunk 6.2.6?

grimesrichard
New Member

Hi All,

We are trying to size an AMI Linux VM Heavy Forwarder for a new installation of 6.2.6 and have found the Splunk recommended system requirements of 2x six-core, 2+ GHz CPU, 12 GB RAM at the following link: http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Systemrequirements#Recommended_hardware but there is no specific mention of the requirements for a Heavy Forwarder anywhere that we can find in any Splunk documentation.

We have found high level reference to the fact a forwarder can be of a lower spec that the above as it will not be doing as much indexing as an indexer, but no quantification as to what that less may be...

Any guidance or advice that anyone can provide would be much appreciated.

Thanks

0 Karma
1 Solution

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

View solution in original post

0 Karma

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

0 Karma

grimesrichard
New Member

Thanks Javiergn,

We ended up using another windows HF spec as a place to start and will monitor performance.

I think your approach to using other working instances as a base for comparison is the best answer at this time so I've accepted your answer.

Apologies for the delay in the response.

Cheers

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...