Splunk Enterprise indexers are responsible for accepting data streams from internal and external sources, such as forwarders, and indexing that stream locally. Indexing the data requires lots of disk I/O bandwidth and some computing resources. Indexing capacity remains the top concern when you consider how many forwarders an indexer can handle.
The number of forwarders from which an indexer can accept data depends on several factors:
- Number of CPU cores on the machine. The number of cores should meet or exceed the reference standard.
- Number of disk spindles on the machine. The number of spindles should meet or exceed the reference standard.
- Whether the indexer runs Windows or *nix.
- The amount of data to be forwarded to the indexers.
- Whether the indexer also acts as a deployment server.
Forwarder-to-indexer ratios for a *nix indexer
Splunk Enterprise used the following setup to provide guidance for the number of forwarders that can connect to a *nix indexer:
- An indexer with 8 cores and 7GB of RAM and 4 x 420GB disks in RAID 0, running a 64-bit Linux OS.
- A high-speed local area network (LAN) operating at 100Mb/s or faster.
- All universal forwarders sent data that was not processed beforehand.
In these circumstances, an indexer was able to handle a minimum of 2000 forwarders and regularly handled as many as 5000 forwarders.
Performance was best when the server was configured to accept a high number of Unix file descriptors, typically three to four times the number of forwarders that the indexer could accept.
Note: These numbers are for guidance only. Results vary depending on the configuration of the indexers, forwarders, and network.
Summary of performance recommendations
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0