Hi
In our environment ,there are almost 30 servers where splunk forwarders are installed for monitoring and there is only one splunk indexer.I've configured only one receiver for the all 30 forwader servers.Is this the recommended way? or should I split it as a group and configure more receivers?
Thanks
There are people who are using hundreds more forwarders than the number you've specified without any issues. As a general rule, I wouldn't say that 30 is too many unless you're having some type of performance problem. In short, I think you're probably just fine with that configuration.
There are people who are using hundreds more forwarders than the number you've specified without any issues. As a general rule, I wouldn't say that 30 is too many unless you're having some type of performance problem. In short, I think you're probably just fine with that configuration.
ah awesome..thankyou so much
70 should be fine as well. Some people have hundreds of forwarders sending data. The question is one of bottlenecks created by the receiving system. Keep in mind that splunk uses a lot of file handlers, and that you need to be able to sustain 800-1000 iops. If the indexer is beefy, and configured properly, you'll be fine.
Did I say 30 ,my bad, it's 70 forwaders actually.I'm sorry
Do you still think this is going to be fine configuration.?
I know you said it depends on performance but the point I'm trying to ask is..is there anyone facing some issues with these numbers,if so I dont want to run into issues later?
Thanks
Hi
No,we haven't tested yet..just we are in starting phase.but just wondering is this way of configuration recommended?
Are you experiencing performance issues then?
You should look at the following
http://docs.splunk.com/Documentation/Splunk/latest/installation/capacityplanningforalargersplunkdepl...