Hardware Reference
UXM is setup to handle 10,000+ Desktop agents and million of Web page requests per day.
The recommended architecture is to setup an Splunk Heavy-Forwarder with UXM (containing the NGINX/RabbitMQ queue) and send data via HTTP Event Collector (HEC) to the indexers.
Environments
Standalone
Recommended hardware for under 20,000 endpoints and 4 concurrent data analysis users.
If customer already have Splunk setup, then it's recommended to add Heavy Forwarder with NGINX/RabbitMQ queue, to avoid overloading the Search head.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Receiving, Analysis and Storage | 1 | 8 vCPU | 32 GB Ram | 300 GD SSD disk Daily Splunk license usage: < 10 GB | NGINX RabbitMQ Splunk Search Head Splunk Indexer |
Small Distributed
Recommended hardware for 20,000 endpoints and over 4 concurrent data analysis users.
Installation guide: Distributed Splunk Environment.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Collector | 1 per 20.000 endpoints | 8 vCPU | 12 GB Ram | 100 GD SSD disk | Splunk Heavy Forwarder NGINX RabbitMQ |
| Data Analysis and Storage | 1 | 16 vCPU | 64 GB Ram | 100 GD SSD disk 500 GB disk for 1 year data retention Daily Splunk license usage: 10 ~ 70 GB | Splunk Search Head Splunk Indexer |
Large Distributed
Recommended hardware for 70,000 latops/desktops/thin clients and 6,000 Citrix servers with 60,000 Citrix users.
Installation guide: Distributed Splunk Environment.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Collector | 4 (1 per 20.000 endpoints) | 16 vCPU | 16 GB Ram | 300 GD SSD disk | Splunk Heavy Forwarder NGINX RabbitMQ |
| Data Analysis | 1 | 48 vCPU | 62 GB Ram | 300 GD SSD disk | Splunk Search Head |
| Data Storage | 1 | 48 vCPU | 62 GB Ram | 300 GD SSD disk 10 TB disk for 1 year data retention Daily Splunk license usage: 75 GB | Splunk Indexer |