Splunk Sizing Resources and Recommendations

Sizing Splunk is not always trivial, especially if it is used for other use cases in addition to uberAgent. We generally recommend working with one of our partners.

That being said, this page lists some basic recommendations as well as resources that should help with sizing Splunk. Before we start, please keep in mind that the only generic answer any good consultant will give is: “it depends”. Because it does.

Splunk Sizing Considerations

Hardware Resources: CPU and Disk

Splunk needs CPU and disk resources, RAM not so much (compared to some other workloads). Make sure you have enough disk space for the planned retention time as well as a disk subsystem that delivers good IOPS numbers.

Accelerated Data Model

uberAgent’s Splunk app makes use of an accelerated data model which speeds up searches by about 50-100x. The data model’s high-performance analytics store (HPAS) is located on the indexers. Generating the HPAS incurs some additional indexer CPU load and requires additional disk storage.

Heavy Forwarders

Splunk Heavy Forwarders (HFs) can often be a useful third tier, logically situated between the uberAgent endpoints and the Splunk indexers. If you are deploying uberAgent to tens of thousands of endpoints, keep in mind that high numbers of simultaneous network connections may place a significant load on the HFs. Monitor heavy forwarder performance and be prepared to scale out.

Splunk Sizing Recommendations

  1. Always start with a PoC and closely monitor Splunk performance during that phase.
  2. Measure uberAgent’s data volume, keeping in mind that optimization is often possible.
  3. Due to the accelerated data model, uberAgent’s Splunk load profile is somewhat similar to Splunk’s Enterprise Security (ES) app. When looking at sizing guides, base your calculations on the ES use case.

Splunk Sizing Resources