Hi everyone,
Implementing Splunk for the first time in an enterprise environment, I read a lot of documentation about the product but there is one aspect that I'm missing and I was hoping you could help me with it :
Splunk balances the load by switching the flows from the forwarders to different indexers, the switch is made over time to any indexers available.
One of the forwarders we have is a huge syslog-ng receiver that centralizes a lot of data from many sources, I'm worried that when the flow from this forwarder hits one of the indexers, it may overwhelm it as in this scenario switching indexers wouldn't help. How does splunk handle such situations, is it even possible to overwhelm an indexer ? is it something we need to deal with at the source ? like splitting flows ?
Thanks a lot !
... View more