Ok since I have started getting used to Splunk and finding how much easier it is than cat /var/log/mail.log | grep 'user@domain', I added the rest of my logging to it. This amounts to about 80M / day. Firstly, because I use SSHFS a lot, Splunk killed the CPU when it was indexing - the CPU was a K6-2 333. I overclocked it to 343, which ultimately did not help ;)

I think the CPU might have been "ok" bu t I swapped it for a K6-3 400 anyway, which I've had no problems with. The bigger problem was the fact that during indexing, Splunk ate my RAM. 384M. I woke up to a hard disk thrashing at 60 pages / sec. The box didn't crash though, Linux did it's due diligence and started purging processes ;)

Anyway I've now increased the memory to 586 (512 + 64), and Splunk is fine. No problems at all. Load seems to top out at about 3 which is nice. No swapping. I will mention that the same box is also running a MySQL server, LDAP and DNS Masq. Those services don't eat CPU or much RAM because they are not normally used, but it is nice to be able to access them rather than to find they've been killed to make room for Splunk.

Conclusion: Splunk WILL run with less than the 1G "minimum" RAM that Splunk say in the system requirements documentation...but if you go below 512M, you're gonna swap. And 1.4Ghz minimum CPU well...f3ar my K6-3 ;)