What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

The maximum recommended volume of indexing per day, per indexer, in a non-cloud (on-premises) Splunk Enterprise Security deployment is 100 GB. This guideline is established to ensure optimal performance and resource management.

By adhering to this limit, organizations can maintain the necessary speed and efficiency for searching and reporting, which is critical for enterprise security operations. Exceeding this volume can lead to potential issues with indexing speed, search performance, and resource saturation on the indexer hardware. It also helps in maintaining a stable environment where alerts and dashboards can function correctly without delays or downtime.

Implementing a daily indexing volume of 100 GB allows for effective planning around hardware and cluster resources, ensuring that the system can handle peak loads while remaining responsive. Therefore, this guideline is important for teams aiming to have a scalable strategy in place for their Splunk deployment, particularly in security environments that require timely data access and analysis.