Stream forwarder sizing guide
The maximum number of Stream forwarders (
streamfwd) that a search head can support depends on the value of the
pingInterval parameter in
streamfwd.conf. Based on tests, a single search head running
splunk_app_stream can process approximately 150 pings + Stream configuration requests per second.
Use this formula to calculate the maximum number of Stream forwarders per search head:
Stream forwarders per search head = 150 * pingInterval
pingInterval setting is 5 seconds, so a single search head can run up to 750 Stream forwarders at peak activity (during startup up or when stream configuration changes are made).
During average usage a single search head running
splunk_app_stream can process approximately 400 ping requests/second. However, the startup load on the CPU is significantly higher because
streamfwd must both send a ping request and pull down the full configuration from
If your deployment includes large numbers of Stream forwarders, we suggest that you run
splunk_app_stream on a dedicated server AND stagger the startup of individual Stream forwarders over time. Starting up too many Stream forwarders simultaneously might overload the server.
Flow collector performance test results
Splunk Stream REST API reference
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3, 7.2.0