Server Requirements
UXM is designed to handle 10,000+ desktop agents and millions of web page requests per day. The recommended architecture is to deploy a Splunk Heavy Forwarder with UXM (containing the NGINX and RabbitMQ queue) that sends data via HTTP Event Collector (HEC) to the indexers.
Environments
Standalone
Recommended hardware for under 20,000 endpoints and 4 concurrent data analysis users. If a customer already has a Splunk setup, then it's recommended to add Heavy Forwarder with NGINX/RabbitMQ queue, to avoid overloading the Search head.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Receiving, Analysis and Storage | 1 | 8 vCPU | 32 GB Ram | 300 GD SSD disk Daily Splunk license usage: < 10 GB | NGINX RabbitMQ Splunk Search Head Splunk Indexer |
Small Distributed
Recommended hardware for 20,000 endpoints and over 4 concurrent data analysis users.
Installation guide: Distributed Splunk Environment.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Collector | 1 per 20.000 endpoints | 8 vCPU | 12 GB Ram | 100 GD SSD disk | Splunk Heavy Forwarder NGINX RabbitMQ |
| Data Analysis and Storage | 1 | 16 vCPU | 64 GB Ram | 100 GD SSD disk 500 GB disk for 1 year data retention Daily Splunk license usage: 10 ~ 70 GB | Splunk Search Head Splunk Indexer |
Large Distributed
Recommended hardware for 70,000 latops/desktops/thin clients and 6,000 Citrix servers with 60,000 Citrix users.
Installation guide: Distributed Splunk Environment.
| Component | Number of servers | CPU | Memory | Disk | Software |
|---|---|---|---|---|---|
| Data Collector | 4 (1 per 20.000 endpoints) | 16 vCPU | 16 GB Ram | 300 GD SSD disk | Splunk Heavy Forwarder NGINX RabbitMQ |
| Data Analysis | 1 | 48 vCPU | 62 GB Ram | 300 GD SSD disk | Splunk Search Head |
| Data Storage | 1 | 48 vCPU | 62 GB Ram | 300 GD SSD disk 10 TB disk for 1 year data retention Daily Splunk license usage: 75 GB | Splunk Indexer |