Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder hardware specs

konstr
Path Finder
‎04-27-2020 09:13 AM

We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud.
The 3 UFs will be receiving data from 3 Heavy forwarders which will load-balance data across the intermediary forwarding tier.

The intermediary tier has to be there due to networking reasons that we cannot overcome which are not allowing the Heavy forwarders to forward to Splunk Cloud directly.

What specs should we be looking for the UFs of the intermediary forwarding tier considering a license of 600GB/day? The license would be split through the 3 UFs but in case of failure, each UF should be spec'd to be able to forward the full load.

Would something like 4 CPU cores and 8GB RAM be enough?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-27-2020 09:29 AM

Hi @konstr,
the intermediary forwarding tier consists of 3 Universal Forwarders or 3 Heavy Forwarders?
Before you spoke of UFs and after of HFs!
Anyway, it's better to use HFs.

The HW reference of these HFs depends on the job they have to do: if they only have to concentrate logs, it's a very too light configuration, but it could run (eventually at least 8 CPUs) and you could also use UFs instead of HFs; if instead you have to filter and transforms logs, you have to give more resources to your HFs.

Amyway, there isn't a clear definition of HW reference for HFs, if it isn't a problem, give the standard resources asked by Splunk for Stand Alone servers (12 CPUs and 12 GB RAM).
Eventually use only two HFs but giving the correct resources!

Ciao.
Giuseppe

0 Karma
Reply

konstr
Path Finder
‎04-27-2020 09:34 AM

the intermediary forwarding tier will consist of 3 UFs receiving data from 3 HFs. So basically the UFs will just receive data and forward on to Splunk Cloud.

Unfortunately we are not able to use the 3 HFs to send directly to Splunk Cloud due to networking reasons hence why we need the intermediary forwarding tier.

Would you say that 4 cores and 8GB RAM for the UFs will not be enough?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2020 12:01 AM

Hi @konstr,
it's a very strange architecture to have HFs that send data to UFs, usually it's the opposite: UFs are installed on target servers, they tale logs and send them to HFs that forward to Indexers or Splunk Cloud.

Anyway, yes, they should be enough.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...