Solved: What is the recommended hardware requirement for H...

slebbie_splunk · ‎03-22-2017

What is the recommended hardware spec for a HF that is now indexing locally. Essentially, I know it's an Indexer that is just forwarding, so do we treat it as such in terms of hardware requirements?

12CPU? 12GB?

esix_splunk · ‎03-22-2017

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

View solution in original post

esix_splunk · ‎03-22-2017

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

edoardo_vicendo · ‎11-30-2023

Hello,

Do you mean the 200GB/day is for an 12vCPU/12GB RAM/900 IOPS Heavy Forwarder that is indexing locally and also forwarding to Indexers but not performing local searches?

In this 200GB/day are you also including logs from internal indexes ( index=_* ) ?

If so, what about an Heavy Forwarder with same specs that is not locally indexing? How many GB/day can process (internal and non internal logs)?

Thanks a lot,

Edoardo

slebbie_splunk · ‎03-23-2017

To be honest, not much. 1.5gb. But there are massive blocked queues. Currently it's a 4 core box, more than likely a VM.

jet1276 · ‎09-17-2018

I have seen Heavy Forwarder with 12 Core CPU and 12 GB RAM handling 500 GB/day logs.

But everything depends on how you configure the Splunk Deployment and Server configurations.

What is the recommended hardware requirement for Heavy Forwarder that is indexing?

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows