From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Splunk performance: what to expect

On an x86 hardware platform, a dedicated box like a stock Dell 2950 should be easily able to index 100 GB/day. You should be able to reliably monitor 200-500 files on a system like this, with events taking no more than a minute to show up in your index. If you're not seeing this kind of performance, Splunk recommends you contact support to troubleshoot your deployment.

If you're going to monitor more files than this at once, Splunk recommends that you explicitly monitor higher priority files. If you are monitoring directories with a few live files and many (thousands) of static files, blacklist the static files by name or periodically move them elsewhere so the monitor processor doesn't have to check them for new data.

For maximum indexing performance, Splunk recommends 8 cores, 8 GB RAM, 800 i/o per second minimum (15k RPM drives / RAID 10)

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk