I'm trying to determine if a bottleneck exists in my environment. We ingest about 130Gb a day. **Syslog** events come through without delay, but Windows Events are **delayed** anywhere between **1,500 - 5,000** minutes.
A caveat is that our environment is hybrid. We host our indexers in **Azure**. We have an express route VPN set up and it seems to be artificially low when it comes to write speeds on our index cluster. The express route VPN is rated at **1Gbps.**
The indexers drives are rated for up to 7500 iOPS. The Heavy Forwards are on-prem.
We have Windows Events going to 4 Heavy Forwarders (load balanced) then to the Index Cluster (Round Robbin)
![alt text][1]
Does this indexing rate seam reasonable ? It's never really gotten **above 2Mbs.**
[1]: /storage/temp/275621-lowindexingrate.png
↧