Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the recommended hardware requirement for Heavy Forwarder that is indexing?

slebbie_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:30 PM

What is the recommended hardware spec for a HF that is now indexing locally. Essentially, I know it's an Indexer that is just forwarding, so do we treat it as such in terms of hardware requirements?

12CPU? 12GB?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:39 PM

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:39 PM

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

Reply
Solved! Jump to solution

edoardo_vicendo
Builder
‎11-30-2023 09:12 AM

Hello,

Do you mean the 200GB/day is for an 12vCPU/12GB RAM/900 IOPS Heavy Forwarder that is indexing locally and also forwarding to Indexers but not performing local searches?

In this 200GB/day are you also including logs from internal indexes ( index=_* ) ?

If so, what about an Heavy Forwarder with same specs that is not locally indexing? How many GB/day can process (internal and non internal logs)?

Thanks a lot,

Edoardo

0 Karma
Reply
Solved! Jump to solution

slebbie_splunk
Splunk Employee
Splunk Employee
‎03-23-2017 07:12 AM

To be honest, not much. 1.5gb. But there are massive blocked queues. Currently it's a 4 core box, more than likely a VM.

0 Karma
Reply
Solved! Jump to solution

jet1276
Path Finder
‎09-17-2018 11:01 PM

I have seen Heavy Forwarder with 12 Core CPU and 12 GB RAM handling 500 GB/day logs.

But everything depends on how you configure the Splunk Deployment and Server configurations.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...