Getting Data In

What are the system requirements for an AMI Linux VM Heavy forwarder running Splunk 6.2.6?

grimesrichard
New Member

Hi All,

We are trying to size an AMI Linux VM Heavy Forwarder for a new installation of 6.2.6 and have found the Splunk recommended system requirements of 2x six-core, 2+ GHz CPU, 12 GB RAM at the following link: http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Systemrequirements#Recommended_hardware but there is no specific mention of the requirements for a Heavy Forwarder anywhere that we can find in any Splunk documentation.

We have found high level reference to the fact a forwarder can be of a lower spec that the above as it will not be doing as much indexing as an indexer, but no quantification as to what that less may be...

Any guidance or advice that anyone can provide would be much appreciated.

Thanks

0 Karma
1 Solution

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

View solution in original post

0 Karma

javiergn
Super Champion

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

0 Karma

grimesrichard
New Member

Thanks Javiergn,

We ended up using another windows HF spec as a place to start and will monitor performance.

I think your approach to using other working instances as a base for comparison is the best answer at this time so I've accepted your answer.

Apologies for the delay in the response.

Cheers

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...