Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How many gateways can be deployed for 5000 collectors?

Eshwar
Engager
‎06-04-2023 10:35 PM

Hi Community

Please suggest how many gateways can be deployed for 5000 collectors?

Labels (1)
Labels
0 Karma
Reply

Eshwar
Engager
‎06-05-2023 12:53 AM

Hi @gcusello ,

We are trying to replicate below architecture where in OTEL collector will be installed on target servers and all OTEL collectors will be pointed to Gateway server. So, we would like to know here that how many gateways are required.

https://docs.splunk.com/Observability/gdi/opentelemetry/deployment-modes.html#collector-gateway-mode

0 Karma
Reply

Eshwar
Engager
‎06-05-2023 12:12 AM

Hi @gcusello ,

My question is with respect to Splunk Observability Cloud. We have around 5000 client server to redirect gateway so please let us know how many gateways are required in this architecture and the capacity with respect to volume of data, how much data can process by gateway?

Regards,

Eshwar

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-05-2023 12:27 AM

Hi @Eshwar,

ok, you're speking of Heavy Forwarders to use as concentrators to collect all the logs from your on-premise architecture to Splunk Observability Cloud.

The number of HFs depends on the following factors:

  • they must be at least 2 to avoid single points of failure,
  • how many GB you have to transfer daily and in the peak points,
  • if you demand to HFs some parsing activities (and usual this happens),
  • if you have only one exit point from your network to Splunk Observability Cloud,
  • i you have more segregated networks and you want to avoid to open the connections from them to the HFs or to Splunk Cloud.

The most important factor is the data volume, not the number of target servers: how many events you send to Splunk Observability Cloud in the Peak hours?

In my experience, I hint to start with two HFs, configurated with the correct hardware reference and the correct setup to avoid queues, then you can analyze the load on these servers and the presence of queue or delays in indexing.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-04-2023 11:21 PM

Hi @Eshwar,

what do you mean with Gateway and Collector?

If you mean sgent for Gateway, in Splunk thay are called Universal Forwarders and they are installed one in each terget server.

The UFs can directly send their logs to Indexers or they can be concentrated in intermediate Heavy Forwarders (your Concentrators?) .

There's no licence for both the kinds of Forwarders, and you pay only for the daily indexed log volume.

For more infos you can download the "Splunk validated Architectres" doc (https://www.splunk.com/en_us/resources/splunk-validated-architectures.html?locale=en_us) or see at https://docs.splunk.com/Documentation/SVA/current/Architectures/Introduction .

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...