What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

The maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) Enterprise Security (ES) deployment is 100 GB. This recommendation is designed to ensure optimal performance and stability within the Splunk environment.

Indexers handle the ingestion, indexing, and storage of data, and exceeding the recommended volume can lead to several performance issues, such as slower search times and potential data loss. Staying within this limit allows for adequate resource allocation, including CPU and memory usage, thus ensuring smooth operation and maintainability.

The threshold of 100 GB is set considering typical use cases and the average resource capabilities of modern hardware used in on-prem deployments. It enables organizations to scale appropriately while avoiding complications that can arise from excessive data volume, such as the risk of overloading the indexing pipeline or experiencing degraded performance during peak load times.

In practice, while some high-performing deployments may technically handle more than this volume, the recommendation serves as a guideline for best practices to maintain an efficient and reliable Splunk environment.