Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the recommended hardware requirement for Heavy Forwarder that is indexing?

slebbie_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:30 PM

What is the recommended hardware spec for a HF that is now indexing locally. Essentially, I know it's an Indexer that is just forwarding, so do we treat it as such in terms of hardware requirements?

12CPU? 12GB?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:39 PM

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 08:39 PM

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

Reply
Solved! Jump to solution

edoardo_vicendo
Contributor
‎11-30-2023 09:12 AM

Hello,

Do you mean the 200GB/day is for an 12vCPU/12GB RAM/900 IOPS Heavy Forwarder that is indexing locally and also forwarding to Indexers but not performing local searches?

In this 200GB/day are you also including logs from internal indexes ( index=_* ) ?

If so, what about an Heavy Forwarder with same specs that is not locally indexing? How many GB/day can process (internal and non internal logs)?

Thanks a lot,

Edoardo

0 Karma
Reply
Solved! Jump to solution

slebbie_splunk
Splunk Employee
Splunk Employee
‎03-23-2017 07:12 AM

To be honest, not much. 1.5gb. But there are massive blocked queues. Currently it's a 4 core box, more than likely a VM.

0 Karma
Reply
Solved! Jump to solution

jet1276
Path Finder
‎09-17-2018 11:01 PM

I have seen Heavy Forwarder with 12 Core CPU and 12 GB RAM handling 500 GB/day logs.

But everything depends on how you configure the Splunk Deployment and Server configurations.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...