Getting Data In

What are the system requirements for an AMI Linux VM Heavy forwarder running Splunk 6.2.6?

grimesrichard
New Member

Hi All,

We are trying to size an AMI Linux VM Heavy Forwarder for a new installation of 6.2.6 and have found the Splunk recommended system requirements of 2x six-core, 2+ GHz CPU, 12 GB RAM at the following link: http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Systemrequirements#Recommended_hardware but there is no specific mention of the requirements for a Heavy Forwarder anywhere that we can find in any Splunk documentation.

We have found high level reference to the fact a forwarder can be of a lower spec that the above as it will not be doing as much indexing as an indexer, but no quantification as to what that less may be...

Any guidance or advice that anyone can provide would be much appreciated.

Thanks

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, it all depends on the load and what you are planning to do.

If your heavy forwarder is just doing some basic parsing and forwarding but it's not indexing and searching, you can run it in a much smaller VM.

For instance, one of my customers has more than 20 heavy forwarders and the specs are very different, but they all work fine:

  • From 2x2 cores to 2x4 cores
  • From 4 to 8 GB RAM
  • From 100 to 200 GB allocated to /opt
  • Shared VM resources
  • 1 Gbps network card

Hope that helps,
J

0 Karma

grimesrichard
New Member

Thanks Javiergn,

We ended up using another windows HF spec as a place to start and will monitor performance.

I think your approach to using other working instances as a base for comparison is the best answer at this time so I've accepted your answer.

Apologies for the delay in the response.

Cheers

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...