We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud.
The underlying forwarding tier consists of heavy forwarders receiving logs and load-balancing across the forwarders of the Intermediary forwarding tier.
The intermediary tier has to be there due to networking reasons that we cannot overcome and the Heavy forwarders aren't able to forward to Splunk Cloud directly. What specs should we be looking for the UFs considering a license of 600GB/day? The license would be split through the 3 UFs but in case of failure, each UF should be spec'd to be able to forward the full load.
Would something like 4 CPU cores and 8GB RAM be enough?
↧