Solved: Re: What is the recommended hardware requirement f...

slebbie_splunk · ‎03-22-2017

What is the recommended hardware spec for a HF that is now indexing locally. Essentially, I know it's an Indexer that is just forwarding, so do we treat it as such in terms of hardware requirements?

12CPU? 12GB?

esix_splunk · ‎03-22-2017

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

View solution in original post

esix_splunk · ‎03-22-2017

You can follow the reference architecture listed in docs. But what kind indexing volume is this box doing per day?

Without search load, 12gb + 12cores, and 900iops, should be able to deliver 200gb+ a day.

edoardo_vicendo · ‎11-30-2023

Hello,

Do you mean the 200GB/day is for an 12vCPU/12GB RAM/900 IOPS Heavy Forwarder that is indexing locally and also forwarding to Indexers but not performing local searches?

In this 200GB/day are you also including logs from internal indexes ( index=_* ) ?

If so, what about an Heavy Forwarder with same specs that is not locally indexing? How many GB/day can process (internal and non internal logs)?

Thanks a lot,

Edoardo

slebbie_splunk · ‎03-23-2017

To be honest, not much. 1.5gb. But there are massive blocked queues. Currently it's a 4 core box, more than likely a VM.

jet1276 · ‎09-17-2018

I have seen Heavy Forwarder with 12 Core CPU and 12 GB RAM handling 500 GB/day logs.

But everything depends on how you configure the Splunk Deployment and Server configurations.

What is the recommended hardware requirement for Heavy Forwarder that is indexing?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)