Hey Folks,
We have a fairly secure environment with no servers able to access the internet or route traffic to SplunkCloud. A large majority of the data we will be indexing is OS (*.nix, Windows etc.) and app logs. In addition we'll have some HF's DBConnect, some API, some HEC and some syslog.
In order to punch out the firewall and restricted zones we will need intermediate forwarders, or for security, gateway forwarders. I am trying to size and scale accordingly but I cannot find anything that talks about rule of thumb sizing for throughput.
Assuming a *Universal Forwarder* gateway forwarder providing no other function that receiving data from the internal UF's and HF's:
1. Would 12 cpu/12gb RAM and 800 IOPS be overkill?
2. Are there diminishing returns as resources are increased (e.g. a 4cpu 4gb UF can push 100GB/day but a 12/12 can only push 200GB/day)?
3. Are there limits to throughput (e.g. a UF can only do 4Mbps)?
4. I am assuming that horizontal scale is better than monolithic, but how do I know how many and what spec (assuming a 1TB/day SplunkCloud indexing).
Thanks!
↧