Hi,
The set-up is Splunk 5.0, and the requirement is to monitor the Windows Security Event Logs on 10,000 desktops for specific Event Codes. We would be using the Heavy Forwarder on the desktops, so that only the specific events would be forwarded. The actual number of events expected is very low (probably less than double figures per host per day). So, the actual indexing and searching workload would be minimal, but how would an indexer handle that many connections from the forwarders ? I have read a previous post on "How many Forwarders can an indexer handle ?", and the reply only concerned itself with the amount indexed.
I have also read various documents on Deployment Server with a large number of forwarders being pointed to a single Deployment Server, and came across a suggestion that the polling interval could be extended to 10 minutes. There was also a comment that up to 1000 forwarders had been successfully connected to a single Deployment Server. There wasn't any indication on what polling interval was used. It is not likely that much maintenance would be carried out, so changes would be minimal. We're not that bothered if changes weren't propagated for an hour or 2. Is there any randomness in the polling interval ? I'm thinking that if we set the polling interval to 2 hours, it still may not help, as if 80% of users start up at around 09:00, then all hell would break loose, then a lull, then same thing at 11:00.
Any comments on what might be needed to support this would be gratefully received. Thanks.