We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud.
The 3 UFs will be receiving data from 3 Heavy forwarders which will load-balance data across the intermediary forwarding tier.
The intermediary tier has to be there due to networking reasons that we cannot overcome which are not allowing the Heavy forwarders to forward to Splunk Cloud directly.
What specs should we be looking for the UFs of the intermediary forwarding tier considering a license of 600GB/day? The license would be split through the 3 UFs but in case of failure, each UF should be spec'd to be able to forward the full load.
Would something like 4 CPU cores and 8GB RAM be enough?
↧
