Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is saturation level fine as a preparation for additional HEC data stream?

danielbb
Motivator
2 weeks ago

For our indexers, we see the following under 'Storage I/O Saturation (Mount Point)' - 
0.90% (/opt/splunk) 6.56% (/indexing/splunk_cold) 

We have 14 indexers with roughly the same saturation levels and I wonder if it's healthy. 
We would like to direct the HEC data straight to the indexers (instead of going through the HFs) and therefore I wonder if at the I/O level we are ready.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Influencer
2 weeks ago

Hi @danielbb 

Receiving cooked data from a HF or receiving HEC shouldnt have much impact on the I/O saturation of your disks because Splunk will still write the same amount of data to disk if sent either way. The parsing of HEC data that will be done on your indexers instead of HF may use more CPU/Memory but I do not think disk IO should be affected.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top